Add rhcos4 Profile for BSI Grundschutz #13121

sluetze · 2025-02-27T17:22:26Z

Description:

This PR adds two control files, enhances a profile profile and adds a rule.

Rationale:

Customers were asking for a OpenShift Compliance Operator Profile for BSI. Our current Project Scope was only on SYS1.6. and APP.4.4 Building Blocks (Containers & Kubernetes). But there are more relevant and checkable Buildingblocks. The two biggest ones and most relevant ones are SYS1.1 (General Server) and SYS.1.3 (Linux Server). This PR adds these to enhance the ocp-bsi profile with an rhcos4-bsi profile.

rule only_allow_specific_certs this is a copy and generalization of the only_allow_dod_certs rule. As we have the same requirement i tried to make the rule not specific so it can be reused. I didnt want to change the DOD rule as I do not know, if the phrasing is important in this context

As in OCP4 we follow the scheme of adding one control file per Building Block. As we will have a different one for RHEL9, we postfix them with _rhcos4

Review Hints:

most of the rules are reused rules from other rhcos4 profiles, thats why it is only one "big" PR, and not several, as it can be tested as a bundle.

openshift-ci · 2025-02-27T17:22:38Z

Hi @sluetze. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

github-actions · 2025-02-27T17:26:09Z

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

New content has different text for rule 'xccdf_org.ssgproject.content_rule_encrypt_partitions'.
--- xccdf_org.ssgproject.content_rule_encrypt_partitions
+++ xccdf_org.ssgproject.content_rule_encrypt_partitions
@@ -226,6 +226,9 @@
 [reference]:
 SRG-OS-000404-GPOS-00183
 
+[reference]:
+SYS.1.1.A34
+
 [rationale]:
 The risk of a system's physical compromise, particularly mobile systems such as
 laptops, places its data at risk of compromise.  Encrypting this data mitigates

New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_tmp
@@ -76,6 +76,9 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 The /tmp partition is used as temporary storage by many programs.
 Placing /tmp in its own partition enables the setting of more

New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var'.
--- xccdf_org.ssgproject.content_rule_partition_for_var
+++ xccdf_org.ssgproject.content_rule_partition_for_var
@@ -79,6 +79,9 @@
 [reference]:
 R28
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 Ensuring that /var is mounted on its own partition enables the
 setting of more restrictive mount options. This helps protect

New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_log'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_log
+++ xccdf_org.ssgproject.content_rule_partition_for_var_log
@@ -189,6 +189,9 @@
 [reference]:
 R28
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 Placing /var/log in its own partition
 enables better separation between log files

New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_var_tmp'.
--- xccdf_org.ssgproject.content_rule_partition_for_var_tmp
+++ xccdf_org.ssgproject.content_rule_partition_for_var_tmp
@@ -16,6 +16,9 @@
 [reference]:
 R28
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 The /var/tmp partition is used as temporary storage by many programs.
 Placing /var/tmp in its own partition enables the setting of more

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue
@@ -6,6 +6,9 @@
 To properly set the group owner of /etc/issue, run the command:
 $ sudo chgrp root /etc/issue
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Display of a standardized and approved use notification before granting
 access to the operating system ensures privacy and security notification

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_issue_net
@@ -5,6 +5,9 @@
 [description]:
 To properly set the group owner of /etc/issue.net, run the command:
 $ sudo chgrp root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
 
 [reference]:
 1.2.8

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue
@@ -6,6 +6,9 @@
 To properly set the owner of /etc/issue, run the command:
 $ sudo chown root /etc/issue
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Display of a standardized and approved use notification before granting
 access to the operating system ensures privacy and security notification

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_issue_net
@@ -5,6 +5,9 @@
 [description]:
 To properly set the owner of /etc/issue.net, run the command:
 $ sudo chown root /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
 
 [reference]:
 1.2.8

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue
@@ -6,6 +6,9 @@
 To properly set the permissions of /etc/issue, run the command:
 $ sudo chmod 0644 /etc/issue
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Display of a standardized and approved use notification before granting
 access to the operating system ensures privacy and security notification

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_issue_net
@@ -5,6 +5,9 @@
 [description]:
 To properly set the permissions of /etc/issue.net, run the command:
 $ sudo chmod 0644 /etc/issue.net
+
+[reference]:
+SYS.1.3.A14
 
 [reference]:
 1.2.8

New content has different text for rule 'xccdf_org.ssgproject.content_rule_account_unique_name'.
--- xccdf_org.ssgproject.content_rule_account_unique_name
+++ xccdf_org.ssgproject.content_rule_account_unique_name
@@ -22,6 +22,9 @@
 Req-8.1.1
 
 [reference]:
+SYS.1.3.A2
+
+[reference]:
 8.2.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_gid_passwd_group_same'.
--- xccdf_org.ssgproject.content_rule_gid_passwd_group_same
+++ xccdf_org.ssgproject.content_rule_gid_passwd_group_same
@@ -196,6 +196,9 @@
 
 [reference]:
 SRG-OS-000104-GPOS-00051
+
+[reference]:
+SYS.1.3.A2
 
 [reference]:
 8.2.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_pti_kernel_argument
@@ -13,6 +13,9 @@
 [reference]:
 SRG-OS-000433-GPOS-00193
 
+[reference]:
+SYS.1.3.A4
+
 [rationale]:
 Kernel page-table isolation is a kernel feature that mitigates
 the Meltdown security vulnerability and hardens the kernel

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
+++ xccdf_org.ssgproject.content_rule_grub2_rng_core_default_quality_argument
@@ -26,6 +26,9 @@
 [reference]:
 R8
 
+[reference]:
+SYS.1.1.A34
+
 [rationale]:
 A system may struggle to initialize its entropy pool and end up starving. Crediting entropy
 from the hardware number generators available in the system helps fill up the entropy pool.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_grub2_cfg
@@ -188,6 +188,9 @@
 R29
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_user_cfg
@@ -185,6 +185,9 @@
 
 [reference]:
 R29
+
+[reference]:
+SYS.1.3.A14
 
 [reference]:
 2.2.6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_grub2_cfg
@@ -188,6 +188,9 @@
 R29
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_user_cfg
@@ -184,6 +184,9 @@
 R29
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_grub2_cfg
@@ -177,6 +177,9 @@
 R29
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_user_cfg
@@ -177,6 +177,9 @@
 R29
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_grub2_cfg
@@ -151,6 +151,9 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The root group is a highly-privileged group. Furthermore, the group-owner of this
 file should not have any access privileges anyway.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_groupowner_efi_user_cfg
@@ -150,6 +150,9 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The root group is a highly-privileged group. Furthermore, the group-owner of this
 file should not have any access privileges anyway. Non-root users who read the boot parameters

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_grub2_cfg
@@ -151,5 +151,8 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Only root should be able to modify important boot parameters.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_owner_efi_user_cfg
@@ -150,6 +150,9 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Only root should be able to modify important boot parameters. Also, non-root users who read
 the boot parameters may be able to identify weaknesses in security upon boot and be able to

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_grub2_cfg
@@ -143,6 +143,9 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Proper permissions ensure that only the root user can modify important boot
 parameters.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg'.
--- xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
+++ xccdf_org.ssgproject.content_rule_file_permissions_efi_user_cfg
@@ -143,6 +143,9 @@
 [reference]:
 R29
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Proper permissions ensure that only the root user can read or modify important boot
 parameters.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_firewire-core_disabled
@@ -19,6 +19,9 @@
 [reference]:
 SRG-OS-000095-GPOS-00049
 
+[reference]:
+SYS.1.1.A5
+
 [rationale]:
 Disabling FireWire protects the system against exploitation of any
 flaws in its implementation.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_service_bluetooth_disabled
@@ -327,6 +327,9 @@
 [reference]:
 PR.PT-4
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 Disabling the bluetooth service prevents the system from attempting
 connections to Bluetooth devices, which entails some security risk.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_bluetooth_disabled
@@ -309,6 +309,9 @@
 [reference]:
 SRG-OS-000300-GPOS-00118
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 If Bluetooth functionality must be disabled, preventing the kernel
 from loading the kernel module provides an additional safeguard against its

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_cfg80211_disabled
@@ -28,6 +28,9 @@
 [reference]:
 AC-18(4)
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 If Wireless functionality must be disabled, preventing the kernel
 from loading the kernel module provides an additional safeguard against its

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlmvm_disabled
@@ -28,6 +28,9 @@
 [reference]:
 AC-18(4)
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 If Wireless functionality must be disabled, preventing the kernel
 from loading the kernel module provides an additional safeguard against its

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_iwlwifi_disabled
@@ -28,6 +28,9 @@
 [reference]:
 AC-18(4)
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 If Wireless functionality must be disabled, preventing the kernel
 from loading the kernel module provides an additional safeguard against its

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_mac80211_disabled
@@ -28,6 +28,9 @@
 [reference]:
 AC-18(4)
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 If Wireless functionality must be disabled, preventing the kernel
 from loading the kernel module provides an additional safeguard against its

New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_in_bios'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
+++ xccdf_org.ssgproject.content_rule_wireless_disable_in_bios
@@ -290,6 +290,9 @@
 [reference]:
 PR.PT-4
 
+[reference]:
+SYS.1.1.A6
+
 [rationale]:
 Disabling wireless support in the BIOS prevents easy
 activation of the wireless interface, generally requiring administrators

New content has different text for rule 'xccdf_org.ssgproject.content_rule_wireless_disable_interfaces'.
--- xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
+++ xccdf_org.ssgproject.content_rule_wireless_disable_interfaces
@@ -325,6 +325,9 @@
 
 [reference]:
 SRG-OS-000481-GPOS-00481
+
+[reference]:
+SYS.1.1.A6
 
 [reference]:
 1.3.3

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable'.
--- xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
+++ xccdf_org.ssgproject.content_rule_file_permissions_unauthorized_world_writable
@@ -172,6 +172,9 @@
 R54
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_group
@@ -18,6 +18,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_gshadow
@@ -17,6 +17,9 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
 it contains group password hashes. Protection of this file is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_passwd
@@ -18,6 +18,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_backup_etc_shadow
@@ -15,6 +15,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_group
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_gshadow
@@ -167,6 +167,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow file contains group password hashes. Protection of this file
 is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_passwd
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shadow
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_groupowner_etc_shells
@@ -15,6 +15,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/shells file contains the list of full pathnames to shells on the system.
 Since this file is used by many system programs this file should be protected.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_group
@@ -18,6 +18,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_gshadow
@@ -17,6 +17,9 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
 it contains group password hashes. Protection of this file is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_passwd
@@ -18,6 +18,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_backup_etc_shadow
@@ -18,6 +18,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_group
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_group
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_gshadow
@@ -167,6 +167,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow file contains group password hashes. Protection of this file
 is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_passwd
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shadow
@@ -174,6 +174,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_owner_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_owner_etc_shells
@@ -15,6 +15,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/shells file contains the list of full pathnames to shells on the system.
 Since this file is used by many system programs this file should be protected.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_group
@@ -19,6 +19,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_gshadow
@@ -15,6 +15,9 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow- file is a backup of /etc/gshadow, and as such,
 it contains group password hashes. Protection of this file is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
@@ -19,6 +19,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_shadow
@@ -19,6 +19,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_group'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_group
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_group
@@ -175,6 +175,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_gshadow
@@ -168,6 +168,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/gshadow file contains group password hashes. Protection of this file
 is critical for system security.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_passwd
@@ -175,6 +175,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shadow
@@ -175,6 +175,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_etc_shells'.
--- xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
+++ xccdf_org.ssgproject.content_rule_file_permissions_etc_shells
@@ -15,6 +15,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 The /etc/shells file contains the list of full pathnames to shells on the system.
 Since this file is used by many system programs this file should be protected.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -278,6 +278,9 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+SYS.1.3.A3
+
 [rationale]:
 Disabling the automounter permits the administrator to
 statically control filesystem mounting through /etc/fstab.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_disable_usb_boot'.
--- xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
+++ xccdf_org.ssgproject.content_rule_bios_disable_usb_boot
@@ -111,6 +111,9 @@
 [reference]:
 PR.AC-6
 
+[reference]:
+SYS.1.3.A3
+
 [rationale]:
 Booting a system from a USB device would allow an attacker to
 circumvent any security measures provided by the operating system. Attackers

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_nousb_kernel_argument
@@ -136,6 +136,12 @@
 [reference]:
 PR.AC-6
 
+[reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
 [rationale]:
 Disabling the USB subsystem within the Linux kernel at system boot will
 protect against potentially malicious USB devices, although it is only practical

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_nousb_argument'.
--- xccdf_org.ssgproject.content_rule_grub2_nousb_argument
+++ xccdf_org.ssgproject.content_rule_grub2_nousb_argument
@@ -136,6 +136,9 @@
 [reference]:
 PR.AC-6
 
+[reference]:
+SYS.1.3.A3
+
 [rationale]:
 Disabling the USB subsystem within the Linux kernel at system boot will
 protect against potentially malicious USB devices, although it is only practical

New content has different text for rule 'xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled'.
--- xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
+++ xccdf_org.ssgproject.content_rule_kernel_module_usb-storage_disabled
@@ -249,6 +249,12 @@
 SRG-APP-000141-CTR-000315
 
 [reference]:
+SYS.1.1.A5
+
+[reference]:
+SYS.1.3.A3
+
+[reference]:
 3.4.2
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space'.
--- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
+++ xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
@@ -130,6 +130,9 @@
 R9
 
 [reference]:
+SYS.1.3.A4
+
+[reference]:
 3.3.1.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions'.
--- xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
+++ xccdf_org.ssgproject.content_rule_bios_enable_execution_restrictions
@@ -78,6 +78,9 @@
 SRG-APP-000450-CTR-001105
 
 [reference]:
+SYS.1.3.A4
+
+[reference]:
 2.2.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_page_poison_kernel_argument
@@ -12,6 +12,9 @@
 
 [reference]:
 SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
 
 [reference]:
 CNTR-OS-000560

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_slub_debug_kernel_argument
@@ -12,6 +12,9 @@
 
 [reference]:
 SRG-APP-000243-CTR-000600
+
+[reference]:
+SYS.1.3.A4
 
 [reference]:
 CNTR-OS-000560

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_libselinux_installed'.
--- xccdf_org.ssgproject.content_rule_package_libselinux_installed
+++ xccdf_org.ssgproject.content_rule_package_libselinux_installed
@@ -6,6 +6,18 @@
 The libselinux package can be installed with the following command:
 
 $ sudo dnf install libselinux
+
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
 
 [reference]:
 1.2.6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_enable_selinux'.
--- xccdf_org.ssgproject.content_rule_grub2_enable_selinux
+++ xccdf_org.ssgproject.content_rule_grub2_enable_selinux
@@ -483,6 +483,18 @@
 PR.PT-4
 
 [reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
 1.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons'.
--- xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
+++ xccdf_org.ssgproject.content_rule_selinux_confinement_of_daemons
@@ -450,6 +450,15 @@
 PR.PT-3
 
 [reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
 1.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled'.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -16,6 +16,18 @@
 and give the administrator the opportunity to assess the impact and necessary efforts
 before setting it to "enforcing", which is strongly recommended.
 
+[reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A4
+
+[reference]:
+SYS.1.3.A10
+
 [rationale]:
 Running SELinux in disabled mode is strongly discouraged. It prevents enforcing the SELinux
 controls without a system reboot. It also avoids labeling any persistent objects such as

New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype'.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -518,6 +518,15 @@
 APP.4.4.A4
 
 [reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
 SYS.1.6.A3
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_selinux_state'.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -516,6 +516,15 @@
 APP.4.4.A4
 
 [reference]:
+SYS.1.1.A37
+
+[reference]:
+SYS.1.1.A31
+
+[reference]:
+SYS.1.3.A10
+
+[reference]:
 SYS.1.6.A3
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_groupowner_sshd_config
@@ -171,6 +171,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Service configuration files enable or disable features of their respective
 services that if configured incorrectly can lead to insecure and vulnerable

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_private_key
@@ -13,5 +13,8 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_groupownership_sshd_pub_key
@@ -13,6 +13,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 If a public host key file is modified by an unauthorized user, the SSH service
 may be compromised.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_owner_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_owner_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_owner_sshd_config
@@ -171,6 +171,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Service configuration files enable or disable features of their respective
 services that if configured incorrectly can lead to insecure and vulnerable

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_private_key
@@ -13,5 +13,8 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 If an unauthorized user obtains the private SSH host key file, the host could be impersonated.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_ownership_sshd_pub_key
@@ -13,6 +13,9 @@
 [reference]:
 R50
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 If a public host key file is modified by an unauthorized user, the SSH service
 may be compromised.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_config'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_config
@@ -172,6 +172,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_private_key
@@ -186,6 +186,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key'.
--- xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
+++ xccdf_org.ssgproject.content_rule_file_permissions_sshd_pub_key
@@ -184,6 +184,9 @@
 R50
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -388,6 +388,9 @@
 SRG-OS-000480-GPOS-00227
 
 [reference]:
+SYS.1.3.A8
+
+[reference]:
 2.2.6
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login'.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -428,6 +428,9 @@
 
 [reference]:
 R33
+
+[reference]:
+SYS.1.3.A8
 
 [reference]:
 2.2.6

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth'.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -33,6 +33,9 @@
 [reference]:
 SRG-OS-000108-GPOS-00055
 
+[reference]:
+SYS.1.3.A8
+
 [rationale]:
 Without the use of multifactor authentication, the ease of access to
 privileged functions is greatly increased. Multifactor authentication

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_audit_installed'.
--- xccdf_org.ssgproject.content_rule_package_audit_installed
+++ xccdf_org.ssgproject.content_rule_package_audit_installed
@@ -207,6 +207,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_auditd_enabled'.
--- xccdf_org.ssgproject.content_rule_service_auditd_enabled
+++ xccdf_org.ssgproject.content_rule_service_auditd_enabled
@@ -575,6 +575,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
+++ xccdf_org.ssgproject.content_rule_coreos_audit_backlog_limit_kernel_argument
@@ -18,6 +18,9 @@
 SRG-APP-000092-CTR-000165
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000170
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_coreos_audit_option'.
--- xccdf_org.ssgproject.content_rule_coreos_audit_option
+++ xccdf_org.ssgproject.content_rule_coreos_audit_option
@@ -339,6 +339,9 @@
 SRG-APP-000092-CTR-000165
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000170
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_session_events'.
--- xccdf_org.ssgproject.content_rule_audit_rules_session_events
+++ xccdf_org.ssgproject.content_rule_audit_rules_session_events
@@ -390,6 +390,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1.3
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions'.
--- xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
+++ xccdf_org.ssgproject.content_rule_audit_rules_sysadmin_actions
@@ -572,6 +572,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_group
@@ -589,6 +589,12 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_gshadow
@@ -589,6 +589,12 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_opasswd
@@ -595,6 +595,12 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
@@ -604,6 +604,12 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow'.
--- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
+++ xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_shadow
@@ -589,6 +589,12 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
+SYS.1.3.A6
+
+[reference]:
 10.2.1.5
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_groupownership_audit_configuration
@@ -12,6 +12,9 @@
 [reference]:
 SRG-OS-000063-GPOS-00032
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Without the capability to restrict which roles and individuals can
 select which events are audited, unauthorized personnel may be able

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_ownership_audit_configuration
@@ -17,6 +17,9 @@
 [reference]:
 SRG-OS-000063-GPOS-00032
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Without the capability to restrict which roles and individuals can
 select which events are audited, unauthorized personnel may be able

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_ownership_var_log_audit
@@ -334,6 +334,9 @@
 
 [reference]:
 SRG-APP-000118-CTR-000240
+
+[reference]:
+SYS.1.3.A14
 
 [reference]:
 10.3.2

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration'.
--- xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
+++ xccdf_org.ssgproject.content_rule_file_permissions_audit_configuration
@@ -15,6 +15,9 @@
 [reference]:
 SRG-OS-000063-GPOS-00032
 
+[reference]:
+SYS.1.3.A14
+
 [rationale]:
 Without the capability to restrict which roles and individuals can
 select which events are audited, unauthorized personnel may be able

New content has different text for rule 'xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit'.
--- xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
+++ xccdf_org.ssgproject.content_rule_file_permissions_var_log_audit
@@ -340,6 +340,9 @@
 SRG-APP-000118-CTR-000240
 
 [reference]:
+SYS.1.3.A14
+
+[reference]:
 10.3.1
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chmod
@@ -439,6 +439,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_chown
@@ -442,6 +442,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmod
@@ -439,6 +439,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchmodat
@@ -439,6 +439,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchown
@@ -445,6 +445,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fchownat
@@ -442,6 +442,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fremovexattr
@@ -466,6 +466,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_fsetxattr
@@ -460,6 +460,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lchown
@@ -442,6 +442,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lremovexattr
@@ -472,6 +472,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_lsetxattr
@@ -460,6 +460,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_removexattr
@@ -471,6 +471,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr'.
--- xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
+++ xccdf_org.ssgproject.content_rule_audit_rules_dac_modification_setxattr
@@ -436,6 +436,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.3.4
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon'.
--- xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
+++ xccdf_org.ssgproject.content_rule_audit_rules_execution_chcon
@@ -285,6 +285,9 @@
 SRG-APP-000502-CTR-001270
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_faillock
@@ -386,6 +386,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1.3
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog'.
--- xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
+++ xccdf_org.ssgproject.content_rule_audit_rules_login_events_lastlog
@@ -413,6 +413,9 @@
 R73
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 10.2.1.3
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_at
@@ -29,6 +29,9 @@
 [reference]:
 CM-6(a)
 
+[reference]:
+SYS.1.1.A10
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chage
@@ -300,6 +300,9 @@
 SRG-APP-000502-CTR-001270
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_chsh
@@ -288,6 +288,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_crontab
@@ -261,6 +261,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_gpasswd
@@ -291,6 +291,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_mount
@@ -63,6 +63,9 @@
 SRG-APP-000029-CTR-000085
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgidmap
@@ -56,6 +56,9 @@
 [reference]:
 CM-6(a)
 
+[reference]:
+SYS.1.1.A10
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newgrp
@@ -291,6 +291,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_newuidmap
@@ -56,6 +56,9 @@
 [reference]:
 CM-6(a)
 
+[reference]:
+SYS.1.1.A10
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pam_timestamp_check
@@ -266,6 +266,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_passwd
@@ -291,6 +291,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postdrop
@@ -261,6 +261,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_postqueue
@@ -261,6 +261,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_pt_chown
@@ -231,6 +231,9 @@
 SRG-APP-000502-CTR-001270
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000950
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_ssh_keysign
@@ -264,6 +264,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_su
@@ -276,6 +276,9 @@
 SRG-OS-000755-GPOS-00220
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudo
@@ -276,6 +276,9 @@
 R33
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_sudoedit
@@ -264,6 +264,9 @@
 SRG-OS-000755-GPOS-00220
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_umount
@@ -258,6 +258,9 @@
 SRG-APP-000029-CTR-000085
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_unix_chkpwd
@@ -312,6 +312,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000080
 
 [reference]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_userhelper
@@ -261,6 +261,9 @@
 SRG-APP-000495-CTR-001235
 
 [reference]:
+SYS.1.1.A10
+
+[reference]:
 CNTR-OS-000930
 
 [rationale]:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl'.
--- xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
+++ xccdf_org.ssgproject.content_rule_audit_rules_privileged_commands_usernetctl
@@ -56,6 +56,9 @@
 [reference]:
 CM-6(a)
 
+[reference]:
+SYS.1.1.A10
+
 [rationale]:
 Misuse of privileged functions, either intentionally or unintentionally by
 authorized users, or by unauthorized external entities that have compromised system accounts,

qlty-cloud-legacy · 2025-02-27T17:55:52Z

Code Climate has analyzed commit deee809 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 62.0% (0.0% change).

View more on Code Climate.

yuumasato · 2025-02-28T09:54:22Z

/ok-to-test

controls/bsi_sys_1_1_rhcos4.yml

linux_os/guide/system/network/network_ssl/only_allow_specific_certs/rule.yml

controls/bsi_sys_1_3_rhcos4.yml

products/rhcos4/profiles/bsi-2022.profile

yuumasato · 2025-02-28T11:10:17Z

/test 4.16-e2e-aws-rhcos4-bsi
/test 4.17-e2e-aws-rhcos4-bsi
/test 4.18-e2e-aws-rhcos4-bsi

openshift-ci · 2025-02-28T13:13:57Z

@sluetze: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.16-e2e-aws-rhcos4-bsi	`deee809`	link	true	`/test 4.16-e2e-aws-rhcos4-bsi`
ci/prow/4.18-e2e-aws-rhcos4-bsi	`deee809`	link	true	`/test 4.18-e2e-aws-rhcos4-bsi`
ci/prow/4.17-e2e-aws-rhcos4-bsi	`deee809`	link	true	`/test 4.17-e2e-aws-rhcos4-bsi`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

rhmdnd · 2025-03-19T16:26:49Z

/test

openshift-ci · 2025-03-19T16:26:53Z

@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

/test 4.12-e2e-aws-ocp4-cis

/test 4.12-e2e-aws-ocp4-cis-node

/test 4.12-e2e-aws-ocp4-e8

/test 4.12-e2e-aws-ocp4-high

/test 4.12-e2e-aws-ocp4-high-node

/test 4.12-e2e-aws-ocp4-moderate

/test 4.12-e2e-aws-ocp4-moderate-node

/test 4.12-e2e-aws-ocp4-pci-dss

/test 4.12-e2e-aws-ocp4-pci-dss-4-0

/test 4.12-e2e-aws-ocp4-pci-dss-node

/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.12-e2e-aws-ocp4-stig

/test 4.12-e2e-aws-ocp4-stig-node

/test 4.12-e2e-aws-rhcos4-e8

/test 4.12-e2e-aws-rhcos4-high

/test 4.12-e2e-aws-rhcos4-moderate

/test 4.12-e2e-aws-rhcos4-stig

/test 4.12-images

/test 4.13-e2e-aws-ocp4-bsi

/test 4.13-e2e-aws-ocp4-bsi-node

/test 4.13-e2e-aws-ocp4-cis

/test 4.13-e2e-aws-ocp4-cis-node

/test 4.13-e2e-aws-ocp4-e8

/test 4.13-e2e-aws-ocp4-high

/test 4.13-e2e-aws-ocp4-high-node

/test 4.13-e2e-aws-ocp4-moderate

/test 4.13-e2e-aws-ocp4-moderate-node

/test 4.13-e2e-aws-ocp4-pci-dss

/test 4.13-e2e-aws-ocp4-pci-dss-4-0

/test 4.13-e2e-aws-ocp4-pci-dss-node

/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.13-e2e-aws-ocp4-stig

/test 4.13-e2e-aws-ocp4-stig-node

/test 4.13-e2e-aws-rhcos4-bsi

/test 4.13-e2e-aws-rhcos4-e8

/test 4.13-e2e-aws-rhcos4-high

/test 4.13-e2e-aws-rhcos4-moderate

/test 4.13-e2e-aws-rhcos4-stig

/test 4.13-images

/test 4.14-e2e-aws-ocp4-bsi

/test 4.14-e2e-aws-ocp4-bsi-node

/test 4.14-e2e-aws-ocp4-pci-dss-4-0

/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.14-e2e-aws-rhcos4-bsi

/test 4.14-images

/test 4.15-e2e-aws-ocp4-bsi

/test 4.15-e2e-aws-ocp4-bsi-node

/test 4.15-e2e-aws-ocp4-cis

/test 4.15-e2e-aws-ocp4-cis-node

/test 4.15-e2e-aws-ocp4-e8

/test 4.15-e2e-aws-ocp4-high

/test 4.15-e2e-aws-ocp4-high-node

/test 4.15-e2e-aws-ocp4-moderate

/test 4.15-e2e-aws-ocp4-moderate-node

/test 4.15-e2e-aws-ocp4-pci-dss

/test 4.15-e2e-aws-ocp4-pci-dss-4-0

/test 4.15-e2e-aws-ocp4-pci-dss-node

/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.15-e2e-aws-ocp4-stig

/test 4.15-e2e-aws-ocp4-stig-node

/test 4.15-e2e-aws-rhcos4-bsi

/test 4.15-e2e-aws-rhcos4-e8

/test 4.15-e2e-aws-rhcos4-high

/test 4.15-e2e-aws-rhcos4-moderate

/test 4.15-e2e-aws-rhcos4-stig

/test 4.15-e2e-rosa-ocp4-cis-node

/test 4.15-e2e-rosa-ocp4-pci-dss-node

/test 4.15-images

/test 4.16-e2e-aws-ocp4-bsi

/test 4.16-e2e-aws-ocp4-bsi-node

/test 4.16-e2e-aws-ocp4-cis

/test 4.16-e2e-aws-ocp4-cis-node

/test 4.16-e2e-aws-ocp4-e8

/test 4.16-e2e-aws-ocp4-high

/test 4.16-e2e-aws-ocp4-high-node

/test 4.16-e2e-aws-ocp4-moderate

/test 4.16-e2e-aws-ocp4-moderate-node

/test 4.16-e2e-aws-ocp4-pci-dss

/test 4.16-e2e-aws-ocp4-pci-dss-4-0

/test 4.16-e2e-aws-ocp4-pci-dss-node

/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.16-e2e-aws-ocp4-stig

/test 4.16-e2e-aws-ocp4-stig-node

/test 4.16-e2e-aws-rhcos4-bsi

/test 4.16-e2e-aws-rhcos4-e8

/test 4.16-e2e-aws-rhcos4-high

/test 4.16-e2e-aws-rhcos4-moderate

/test 4.16-e2e-aws-rhcos4-stig

/test 4.16-images

/test 4.17-e2e-aws-ocp4-bsi

/test 4.17-e2e-aws-ocp4-bsi-node

/test 4.17-e2e-aws-ocp4-cis

/test 4.17-e2e-aws-ocp4-cis-node

/test 4.17-e2e-aws-ocp4-e8

/test 4.17-e2e-aws-ocp4-high

/test 4.17-e2e-aws-ocp4-high-node

/test 4.17-e2e-aws-ocp4-moderate

/test 4.17-e2e-aws-ocp4-moderate-node

/test 4.17-e2e-aws-ocp4-pci-dss

/test 4.17-e2e-aws-ocp4-pci-dss-4-0

/test 4.17-e2e-aws-ocp4-pci-dss-node

/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.17-e2e-aws-ocp4-stig

/test 4.17-e2e-aws-ocp4-stig-node

/test 4.17-e2e-aws-rhcos4-bsi

/test 4.17-e2e-aws-rhcos4-e8

/test 4.17-e2e-aws-rhcos4-high

/test 4.17-e2e-aws-rhcos4-moderate

/test 4.17-e2e-aws-rhcos4-stig

/test 4.17-images

/test 4.18-e2e-aws-ocp4-bsi

/test 4.18-e2e-aws-ocp4-bsi-node

/test 4.18-e2e-aws-ocp4-cis

/test 4.18-e2e-aws-ocp4-cis-node

/test 4.18-e2e-aws-ocp4-e8

/test 4.18-e2e-aws-ocp4-high

/test 4.18-e2e-aws-ocp4-high-node

/test 4.18-e2e-aws-ocp4-moderate

/test 4.18-e2e-aws-ocp4-moderate-node

/test 4.18-e2e-aws-ocp4-pci-dss

/test 4.18-e2e-aws-ocp4-pci-dss-4-0

/test 4.18-e2e-aws-ocp4-pci-dss-node

/test 4.18-e2e-aws-ocp4-pci-dss-node-4-0

/test 4.18-e2e-aws-ocp4-stig

/test 4.18-e2e-aws-ocp4-stig-node

/test 4.18-e2e-aws-rhcos4-bsi

/test 4.18-e2e-aws-rhcos4-e8

/test 4.18-e2e-aws-rhcos4-high

/test 4.18-e2e-aws-rhcos4-moderate

/test 4.18-e2e-aws-rhcos4-stig

/test 4.18-images

/test e2e-aws-ocp4-bsi

/test e2e-aws-ocp4-bsi-node

/test e2e-aws-ocp4-cis

/test e2e-aws-ocp4-cis-arm

/test e2e-aws-ocp4-cis-node

/test e2e-aws-ocp4-cis-node-arm

/test e2e-aws-ocp4-e8

/test e2e-aws-ocp4-high

/test e2e-aws-ocp4-high-node

/test e2e-aws-ocp4-moderate

/test e2e-aws-ocp4-moderate-node

/test e2e-aws-ocp4-pci-dss

/test e2e-aws-ocp4-pci-dss-4-0

/test e2e-aws-ocp4-pci-dss-node

/test e2e-aws-ocp4-pci-dss-node-4-0

/test e2e-aws-ocp4-stig

/test e2e-aws-ocp4-stig-node

/test e2e-aws-rhcos4-bsi

/test e2e-aws-rhcos4-e8

/test e2e-aws-rhcos4-high

/test e2e-aws-rhcos4-moderate

/test e2e-aws-rhcos4-stig

/test images

Use /test all to run the following jobs that were automatically triggered:

pull-ci-ComplianceAsCode-content-master-4.12-images

pull-ci-ComplianceAsCode-content-master-4.13-images

pull-ci-ComplianceAsCode-content-master-4.14-images

pull-ci-ComplianceAsCode-content-master-4.15-images

pull-ci-ComplianceAsCode-content-master-4.16-images

pull-ci-ComplianceAsCode-content-master-4.17-images

pull-ci-ComplianceAsCode-content-master-4.18-images

pull-ci-ComplianceAsCode-content-master-images

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

linux_os/guide/system/network/network_ssl/only_allow_specific_certs/tests/ocp4/e2e.yml

Anna-Koudelkova · 2025-03-31T13:15:14Z

/lgtm

Pre-merge verification steps:

Verify profile rhcos4-bsi-2022 exists:

$ oc get profiles |grep rhcos4-bsi
upstream-rhcos4-bsi                   	80m	2022
upstream-rhcos4-bsi-2022              	80m	2022

Verify rule only-allow-specific-certs exists and is part of the profile rhcos4-bsi

$  oc get rules |grep only-allow-specific-certs
upstream-rhcos4-only-allow-specific-certs                                                	82m

$ oc describe profile upstream-rhcos4-bsi-2022 |grep only-allow
  upstream-rhcos4-only-allow-specific-certs

Read the profile and rule description and see whether they are correctly associated

$ oc describe profile upstream-rhcos4-bsi-2022
...
$ oc describe rule upstream-rhcos4-only-allow-specific-certs
...

Perform a compliance scan using these profiles, check whether the autoremediation works and see the results of the scan

→ These have been checked by running test cases 80570 (Create and check scans for ocp4 and rhcos4 BSI profiles) and 80578 (Check the autoremediation works for BSI profiles) locally - Both test cases have PASSed and logs could be found in PR #23941 in the openshift-test-private repo.

xiaojiey · 2025-04-08T05:44:16Z

/retest

yuumasato

@sluetze thank you!

yuumasato · 2025-08-27T11:37:02Z

/ok-to-test

yuumasato · 2025-08-27T12:39:13Z

CC @jan-cerny @Mab879 and @vojtapolasek for codeowner approval

vojtapolasek · 2025-08-27T12:50:35Z

Ack from RHEL point of view.

vojtapolasek

LGTM.

openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Feb 27, 2025

yuumasato self-assigned this Feb 28, 2025

yuumasato added OpenShift OpenShift product related. BSI PRs or issues for the BSI profile. labels Feb 28, 2025

openshift-ci bot added ok-to-test Used by openshift-ci bot. and removed needs-ok-to-test Used by openshift-ci bot. labels Feb 28, 2025

yuumasato requested changes Feb 28, 2025

View reviewed changes

rhmdnd reviewed Mar 19, 2025

View reviewed changes

linux_os/guide/system/network/network_ssl/only_allow_specific_certs/tests/ocp4/e2e.yml Show resolved Hide resolved

sluetze requested a review from yuumasato May 7, 2025 14:05

sluetze mentioned this pull request Jul 14, 2025

New Profile for RHEL9: BSI #13700

Merged

sluetze force-pushed the sys-1-1 branch from d2b1825 to 37bbd7d Compare August 26, 2025 14:35

sluetze requested review from Mab879, jan-cerny, matusmarhefka and vojtapolasek as code owners August 26, 2025 14:35

openshift-merge-robot added the needs-rebase Used by openshift-ci bot. label Aug 26, 2025

sluetze added 4 commits August 26, 2025 16:43

initial setup

0c24199

finalize ruleset of sys 1.1 and sys 1.3

7ed1efe

minor changes in wording

daa0c7c

fix small typos and add randomize rules for ram

0af543d

sluetze added 2 commits August 26, 2025 16:47

add CCE identifiers

0c1ad7c

add e2e assertion

837fe75

sluetze force-pushed the sys-1-1 branch from 37bbd7d to 39a1f7c Compare August 26, 2025 14:47

openshift-merge-robot removed the needs-rebase Used by openshift-ci bot. label Aug 26, 2025

sluetze force-pushed the sys-1-1 branch from 39a1f7c to c3b81df Compare August 26, 2025 14:51

check for disabled root login, remove protocol2 check and add reasoning

b941487

sluetze force-pushed the sys-1-1 branch from c3b81df to b941487 Compare August 27, 2025 06:11

yuumasato added this to the 0.1.79 milestone Aug 27, 2025

yuumasato approved these changes Aug 27, 2025

View reviewed changes

vojtapolasek approved these changes Aug 27, 2025

View reviewed changes

yuumasato merged commit 69c7dc4 into ComplianceAsCode:master Aug 27, 2025
131 of 132 checks passed

sluetze deleted the sys-1-1 branch September 5, 2025 10:46

jan-cerny added Highlight This PR/Issue should make it to the featured changelog. New Profile Issues or pull requests related to new Profiles. labels Nov 18, 2025

Add rhcos4 Profile for BSI Grundschutz #13121

Add rhcos4 Profile for BSI Grundschutz #13121

Uh oh!

Conversation

sluetze commented Feb 27, 2025

Description:

Rationale:

Review Hints:

Uh oh!

openshift-ci bot commented Feb 27, 2025

Uh oh!

github-actions bot commented Feb 27, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

qlty-cloud-legacy bot commented Feb 27, 2025

Uh oh!

yuumasato commented Feb 28, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

yuumasato commented Feb 28, 2025

Uh oh!

openshift-ci bot commented Feb 28, 2025

Uh oh!

rhmdnd commented Mar 19, 2025

Uh oh!

openshift-ci bot commented Mar 19, 2025

Uh oh!

Uh oh!

Anna-Koudelkova commented Mar 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

xiaojiey commented Apr 8, 2025

Uh oh!

yuumasato left a comment

Choose a reason for hiding this comment

Uh oh!

yuumasato commented Aug 27, 2025

Uh oh!

yuumasato commented Aug 27, 2025

Uh oh!

vojtapolasek commented Aug 27, 2025

Uh oh!

vojtapolasek left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

github-actions bot commented Feb 27, 2025 •

edited

Loading

Anna-Koudelkova commented Mar 31, 2025 •

edited

Loading