Skip to content

Comments

Sle16 dconf gnome patch#14366

Merged
Mab879 merged 8 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_dconf_gnome_patch
Feb 17, 2026
Merged

Sle16 dconf gnome patch#14366
Mab879 merged 8 commits intoComplianceAsCode:masterfrom
teacup-on-rockingchair:sle16_dconf_gnome_patch

Conversation

@teacup-on-rockingchair
Copy link
Contributor

@teacup-on-rockingchair teacup-on-rockingchair commented Feb 6, 2026

Description:

  • Fixes related to dconf rules in SLE16 context

Rationale:

  • User ansible_enable_dconf_user_profile macro to set user gdm profile and use dconf_gdm_dirvariable for location
  • Add definition of dconf_gdm_dir variable for ubuntu
  • Use bash_enable_dconf_user_profile macro to set gdm user profile for sle
  • Add SLE16 CCE for gnome_gdm_disable_unattended_automatic_login rule
  • Use grep instead of sed for boolean checks

Review Hints:

  • @ComplianceAsCode/ubuntu-maintainers please review ubuntu platform-related changes

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 6, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 6, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@Mab879
Copy link
Member

Mab879 commented Feb 6, 2026

/packit build

@teacup-on-rockingchair teacup-on-rockingchair added this to the 0.1.80 milestone Feb 8, 2026
@teacup-on-rockingchair teacup-on-rockingchair added SLES SUSE Linux Enterprise Server product related. Ansible Ansible remediation update. OVAL OVAL update. Related to the systems assessments. Bash Bash remediation update. Update Template Issues or pull requests related to Templates updates. labels Feb 8, 2026
@teacup-on-rockingchair teacup-on-rockingchair marked this pull request as ready for review February 8, 2026 11:37
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Feb 8, 2026
mpurg
mpurg requested changes Feb 9, 2026
View reviewed changes
@ggbecker
Copy link
Member

ggbecker commented Feb 11, 2026

/packit retest-failed

@github-actions
Copy link

github-actions bot commented Feb 13, 2026
edited
Loading

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff 
New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_dracut_fips_module'.
--- xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
+++ xccdf_org.ssgproject.content_rule_enable_dracut_fips_module
@@ -64,6 +64,15 @@
 [reference]:
 1446
 
+[reference]:
+needed_rules
+
+[reference]:
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
+
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
 protect data. The operating system must implement cryptographic modules adhering to the higher

New content has different text for rule 'xccdf_org.ssgproject.content_rule_enable_fips_mode'.
--- xccdf_org.ssgproject.content_rule_enable_fips_mode
+++ xccdf_org.ssgproject.content_rule_enable_fips_mode
@@ -80,6 +80,15 @@
 [reference]:
 1446
 
+[reference]:
+needed_rules
+
+[reference]:
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
+
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
 protect data. The operating system must implement cryptographic modules adhering to the higher

New content has different text for rule 'xccdf_org.ssgproject.content_rule_fips_crypto_subpolicy'.
--- xccdf_org.ssgproject.content_rule_fips_crypto_subpolicy
+++ xccdf_org.ssgproject.content_rule_fips_crypto_subpolicy
@@ -18,31 +18,7 @@
 RHEL-08-010020
 
 [reference]:
-RHEL-08-010290
-
-[reference]:
-RHEL-08-010291
-
-[reference]:
-RHEL-08-010296
-
-[reference]:
-RHEL-08-010297
-
-[reference]:
-SV-230223r1155356_rule
-
-[reference]:
-SV-230251r1155370_rule
-
-[reference]:
-SV-230252r1155364_rule
-
-[reference]:
-SV-272482r1155367_rule
-
-[reference]:
-SV-272483r1155361_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Sub-policies can cause insecure ciphers to be used.

xccdf_org.ssgproject.content_rule_fips_custom_stig_sub_policy is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled'.
--- xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
+++ xccdf_org.ssgproject.content_rule_sysctl_crypto_fips_enabled
@@ -84,6 +84,12 @@
 [reference]:
 SRG-OS-000478-GPOS-00223
 
+[reference]:
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
+
 [rationale]:
 Use of weak or untested encryption algorithms undermines the purposes of utilizing encryption to
 protect data. The operating system must implement cryptographic modules adhering to the higher

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed'.
--- xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
+++ xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
@@ -37,12 +37,6 @@
 [reference]:
 SRG-OS-000394-GPOS-00174
 
-[reference]:
-RHEL-08-010015
-
-[reference]:
-SV-279933r1156352_rule
-
 [rationale]:
 Centralized cryptographic policies simplify applying secure ciphers across an operating system and
 the applications that run on that operating system. Use of weak or untested encryption algorithms

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_package_crypto-policies_installed' differs.
--- xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
+++ xccdf_org.ssgproject.content_rule_package_crypto-policies_installed
@@ -4,7 +4,6 @@
     state: present
   tags:
   - CCE-82723-8
-  - DISA-STIG-RHEL-08-010015
   - enable_strategy
   - low_complexity
   - low_disruption

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
@@ -35,10 +35,13 @@
 SRG-OS-000426-GPOS-00190
 
 [reference]:
-RHEL-08-010275
+needed_rules
 
 [reference]:
-SV-279931r1156346_rule
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the BIND service violate expectations,

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_bind_crypto_policy
@@ -3,7 +3,8 @@
     manager: auto
   tags:
   - CCE-80934-3
-  - DISA-STIG-RHEL-08-010275
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-SC-12(2)
   - NIST-800-53-SC-12(3)
   - NIST-800-53-SC-13
@@ -22,7 +23,8 @@
   when: '"bind" in ansible_facts.packages'
   tags:
   - CCE-80934-3
-  - DISA-STIG-RHEL-08-010275
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-SC-12(2)
   - NIST-800-53-SC-12(3)
   - NIST-800-53-SC-13
@@ -42,7 +44,8 @@
   - not bind_config_file.stat.exists
   tags:
   - CCE-80934-3
-  - DISA-STIG-RHEL-08-010275
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-SC-12(2)
   - NIST-800-53-SC-12(3)
   - NIST-800-53-SC-13
@@ -65,7 +68,8 @@
   - bind_config_file.stat.exists
   tags:
   - CCE-80934-3
-  - DISA-STIG-RHEL-08-010275
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-SC-12(2)
   - NIST-800-53-SC-12(3)
   - NIST-800-53-SC-13

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -116,40 +116,13 @@
 2.2
 
 [reference]:
+needed_rules
+
+[reference]:
 RHEL-08-010020
 
 [reference]:
-RHEL-08-010270
-
-[reference]:
-RHEL-08-010290
-
-[reference]:
-RHEL-08-010291
-
-[reference]:
-RHEL-08-010296
-
-[reference]:
-RHEL-08-010297
-
-[reference]:
-SV-230223r1155356_rule
-
-[reference]:
-SV-279932r1156349_rule
-
-[reference]:
-SV-230251r1155370_rule
-
-[reference]:
-SV-230252r1155364_rule
-
-[reference]:
-SV-272482r1155367_rule
-
-[reference]:
-SV-272483r1155361_rule
+SV-230223r1069327_rule
 
 [rationale]:
 Centralized cryptographic policies simplify applying secure ciphers across an operating system and

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_crypto_policy
@@ -13,11 +13,7 @@
   tags:
   - CCE-80935-0
   - DISA-STIG-RHEL-08-010020
-  - DISA-STIG-RHEL-08-010270
-  - DISA-STIG-RHEL-08-010290
-  - DISA-STIG-RHEL-08-010291
-  - DISA-STIG-RHEL-08-010296
-  - DISA-STIG-RHEL-08-010297
+  - DISA-STIG-needed_rules
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -44,11 +40,7 @@
   tags:
   - CCE-80935-0
   - DISA-STIG-RHEL-08-010020
-  - DISA-STIG-RHEL-08-010270
-  - DISA-STIG-RHEL-08-010290
-  - DISA-STIG-RHEL-08-010291
-  - DISA-STIG-RHEL-08-010296
-  - DISA-STIG-RHEL-08-010297
+  - DISA-STIG-needed_rules
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -75,11 +67,7 @@
   tags:
   - CCE-80935-0
   - DISA-STIG-RHEL-08-010020
-  - DISA-STIG-RHEL-08-010270
-  - DISA-STIG-RHEL-08-010290
-  - DISA-STIG-RHEL-08-010291
-  - DISA-STIG-RHEL-08-010296
-  - DISA-STIG-RHEL-08-010297
+  - DISA-STIG-needed_rules
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -106,11 +94,7 @@
   tags:
   - CCE-80935-0
   - DISA-STIG-RHEL-08-010020
-  - DISA-STIG-RHEL-08-010270
-  - DISA-STIG-RHEL-08-010290
-  - DISA-STIG-RHEL-08-010291
-  - DISA-STIG-RHEL-08-010296
-  - DISA-STIG-RHEL-08-010297
+  - DISA-STIG-needed_rules
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -136,11 +120,7 @@
   tags:
   - CCE-80935-0
   - DISA-STIG-RHEL-08-010020
-  - DISA-STIG-RHEL-08-010270
-  - DISA-STIG-RHEL-08-010290
-  - DISA-STIG-RHEL-08-010291
-  - DISA-STIG-RHEL-08-010296
-  - DISA-STIG-RHEL-08-010297
+  - DISA-STIG-needed_rules
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
@@ -23,6 +23,12 @@
 [reference]:
 SRG-OS-000423-GPOS-00187
 
+[reference]:
+RHEL-08-010295
+
+[reference]:
+SV-230256r1017076_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the GnuTLS
 library violate expectations, and makes system configuration more

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_gnutls_tls_crypto_policy
@@ -5,6 +5,7 @@
     lineinfile_reg: \+VERS-ALL:-VERS-DTLS0\.9:-VERS-TLS1\.1:-VERS-TLS1\.0:-VERS-SSL3\.0:-VERS-DTLS1\.0
   tags:
   - CCE-84254-2
+  - DISA-STIG-RHEL-08-010295
   - NIST-800-53-AC-17(2)
   - configure_gnutls_tls_crypto_policy
   - low_complexity
@@ -20,6 +21,7 @@
   register: gnutls_file
   tags:
   - CCE-84254-2
+  - DISA-STIG-RHEL-08-010295
   - NIST-800-53-AC-17(2)
   - configure_gnutls_tls_crypto_policy
   - low_complexity
@@ -37,6 +39,7 @@
   when: not gnutls_file.stat.exists or gnutls_file.stat.size <= correct_value|length
   tags:
   - CCE-84254-2
+  - DISA-STIG-RHEL-08-010295
   - NIST-800-53-AC-17(2)
   - configure_gnutls_tls_crypto_policy
   - low_complexity
@@ -68,6 +71,7 @@
   when: gnutls_file.stat.exists and gnutls_file.stat.size > correct_value|length
   tags:
   - CCE-84254-2
+  - DISA-STIG-RHEL-08-010295
   - NIST-800-53-AC-17(2)
   - configure_gnutls_tls_crypto_policy
   - low_complexity

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -37,6 +37,15 @@
 [reference]:
 1402
 
+[reference]:
+needed_rules
+
+[reference]:
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of Kerberos violate expectations,
 and makes system configuration more fragmented.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_kerberos_crypto_policy
@@ -5,6 +5,8 @@
     state: link
   tags:
   - CCE-80936-8
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-SC-12(2)
   - NIST-800-53-SC-12(3)
   - NIST-800-53-SC-13

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -41,10 +41,13 @@
 SRG-OS-000033-GPOS-00014
 
 [reference]:
-RHEL-08-010280
+needed_rules
 
 [reference]:
-SV-279930r1156343_rule
+RHEL-08-010020
+
+[reference]:
+SV-230223r1069327_rule
 
 [rationale]:
 Overriding the system crypto policy makes the behavior of the Libreswan

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_libreswan_crypto_policy
@@ -3,7 +3,8 @@
     manager: auto
   tags:
   - CCE-80937-6
-  - DISA-STIG-RHEL-08-010280
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-CM-6(a)
   - NIST-800-53-MA-4(6)
   - NIST-800-53-SC-12(2)
@@ -25,7 +26,8 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-80937-6
-  - DISA-STIG-RHEL-08-010280
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-needed_rules
   - NIST-800-53-CM-6(a)
   - NIST-800-53-MA-4(6)
   - NIST-800-53-SC-12(2)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -74,6 +74,12 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+RHEL-08-010293
+
+[reference]:
+SV-230254r1017072_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the Java runtime violates expectations,
 and makes system configuration more fragmented.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_crypto_policy
@@ -7,6 +7,7 @@
   register: test_crypto_policy_group
   tags:
   - CCE-80938-4
+  - DISA-STIG-RHEL-08-010293
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -31,6 +32,7 @@
   register: test_crypto_policy_include_directive
   tags:
   - CCE-80938-4
+  - DISA-STIG-RHEL-08-010293
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -58,6 +60,7 @@
   - test_crypto_policy_include_directive.matched == 0
   tags:
   - CCE-80938-4
+  - DISA-STIG-RHEL-08-010293
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -84,6 +87,7 @@
   when: test_crypto_policy_group.matched == 0
   tags:
   - CCE-80938-4
+  - DISA-STIG-RHEL-08-010293
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_openssl_tls_crypto_policy
@@ -48,6 +48,12 @@
 [reference]:
 SRG-OS-000394-GPOS-00174
 
+[reference]:
+RHEL-08-010294
+
+[reference]:
+SV-230255r1017075_rule
+
 [rationale]:
 Without cryptographic integrity protections, information can be altered by
 unauthorized users without detection.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -76,6 +76,12 @@
 [reference]:
 5.1.1
 
+[reference]:
+RHEL-08-010287
+
+[reference]:
+SV-244526r1017332_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the SSH service violate expectations,
 and makes system configuration more fragmented.

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
+++ xccdf_org.ssgproject.content_rule_configure_ssh_crypto_policy
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-80939-2
+  - DISA-STIG-RHEL-08-010287
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)
@@ -26,6 +27,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-80939-2
+  - DISA-STIG-RHEL-08-010287
   - NIST-800-53-AC-17(2)
   - NIST-800-53-AC-17(a)
   - NIST-800-53-CM-6(a)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -54,6 +54,18 @@
 [reference]:
 SRG-OS-000423-GPOS-00187
 
+[reference]:
+RHEL-08-010020
+
+[reference]:
+RHEL-08-010296
+
+[reference]:
+SV-230223r1069327_rule
+
+[reference]:
+SV-272482r1069414_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH client
 violate expectations, and makes system configuration more fragmented. By

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -34,6 +34,8 @@
       state: present
   tags:
   - CCE-85902-5
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-RHEL-08-010296
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_openssh_conf_crypto_policy
   - high_severity

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -42,6 +42,12 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+RHEL-08-010291
+
+[reference]:
+SV-230252r1067104_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH server
 violate expectations, and makes system configuration more fragmented. By

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_opensshserver_conf_crypto_policy
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -25,6 +26,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -42,6 +44,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -58,6 +61,7 @@
   - not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -74,6 +78,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -90,6 +95,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -105,6 +111,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -123,6 +130,7 @@
   - not cipher_is_correct and last_crypto_policy != ''
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -143,6 +151,7 @@
   - not cipher_is_correct
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -159,6 +168,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -182,6 +192,7 @@
   - not cipher_is_correct
   tags:
   - CCE-85897-7
+  - DISA-STIG-RHEL-08-010291
   - NIST-800-53-AC-17(2)
   - harden_sshd_ciphers_opensshserver_conf_crypto_policy
   - low_complexity
@@ -198,10 +209,11 @@
   - not cipher_is_correct and local_config is changed
   tags:
   - CCE-85897-7
-  - NIST-800-53-AC-17(2)
-  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
+  - DISA-STIG-RHEL-08-010291
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_ciphers_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -42,6 +42,18 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+RHEL-08-010020
+
+[reference]:
+RHEL-08-010296
+
+[reference]:
+SV-230223r1069327_rule
+
+[reference]:
+SV-272482r1069414_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH
 client violate expectations, and makes system configuration more

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -34,6 +34,8 @@
       state: present
   tags:
   - CCE-85870-4
+  - DISA-STIG-RHEL-08-010020
+  - DISA-STIG-RHEL-08-010296
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_openssh_conf_crypto_policy
   - low_complexity

New content has different text for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy'.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -42,6 +42,12 @@
 [reference]:
 SRG-OS-000250-GPOS-00093
 
+[reference]:
+RHEL-08-010290
+
+[reference]:
+SV-230251r1044814_rule
+
 [rationale]:
 Overriding the system crypto policy makes the behavior of the OpenSSH
 server violate expectations, and makes system configuration more

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_opensshserver_conf_crypto_policy
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -25,6 +26,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -42,6 +44,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -58,6 +61,7 @@
   - not opensshserver_file.stat.exists or opensshserver_file.stat.size == 0
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -74,6 +78,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -90,6 +95,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -105,6 +111,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -123,6 +130,7 @@
   - not mac_is_correct and last_crypto_policy != ''
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -143,6 +151,7 @@
   - not mac_is_correct
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -159,6 +168,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -182,6 +192,7 @@
   - not mac_is_correct
   tags:
   - CCE-85899-3
+  - DISA-STIG-RHEL-08-010290
   - NIST-800-53-AC-17(2)
   - harden_sshd_macs_opensshserver_conf_crypto_policy
   - low_complexity
@@ -198,10 +209,11 @@
   - not mac_is_correct and local_config is changed
   tags:
   - CCE-85899-3
-  - NIST-800-53-AC-17(2)
-  - harden_sshd_macs_opensshserver_conf_crypto_policy
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - reboot_required
-  - restrict_strategy
+  - DISA-STIG-RHEL-08-010290
+  - NIST-800-53-AC-17(2)
+  - harden_sshd_macs_opensshserver_conf_crypto_policy
+  - low_complexity
+  - low_disruption
+  - medium_severity
+  - reboot_required
+  - restrict_strategy

New content has different text for rule 'xccdf_org.ssgproject.content_rule_partition_for_home'.
--- xccdf_org.ssgproject.content_rule_partition_for_home
+++ xccdf_org.ssgproject.content_rule_partition_for_home
@@ -85,7 +85,7 @@
 RHEL-08-010800
 
 [reference]:
-SV-230328r1155410_rule
+SV-230328r1017139_rule
 
 [rationale]:
 Ensuring that /home is mounted on its own partition enables the

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable automount within GNOME3, add or set
-automount to false in /etc/dconf/db/local.d/00-security-settings.
+automount to false in /etc/dconf/db/gdm.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 automount=false
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/automount
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling automount
 If properly configured, the output for automount should be false.
 To ensure that users cannot enable automount in GNOME3, run the following:
-$ grep 'automount' /etc/dconf/db/local.d/locks/*
+$ grep 'automount' /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output for automount should be /org/gnome/desktop/media-handling/automount
       Is it the case that GNOME automounting is not disabled?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount
@@ -2,7 +2,6 @@
 if rpm --quiet -q gdm; then
 
 # apply fix for enable_dconf_user_profile, OVAL checks it
-
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable automount-open within GNOME3, add or set
-automount-open to false in /etc/dconf/db/local.d/00-security-settings.
+automount-open to false in /etc/dconf/db/gdm.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 automount-open=false
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/automount-open
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_automount_open_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling automount-open
 If properly configured, the output for automount-openshould be false.
 To ensure that users cannot enable automount opening in GNOME3, run the following:
-$ grep 'automount-open' /etc/dconf/db/local.d/locks/*
+$ grep 'automount-open' /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output for automount-open should be /org/gnome/desktop/media-handling/automount-open
       Is it the case that GNOME automounting is not disabled?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_automount_open
@@ -2,7 +2,6 @@
 if rpm --quiet -q gdm; then
 
 # apply fix for enable_dconf_user_profile, OVAL checks it
-
 
 # Check for setting in any of the DConf db directories
 # If files contain ibus or distro, ignore them.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun
@@ -6,12 +6,12 @@
 The system's default desktop environment, GNOME3, will mount
 devices and removable media (such as DVDs, CDs and USB flash drives) whenever
 they are inserted into the system. To disable autorun-never within GNOME3, add or set
-autorun-never to true in /etc/dconf/db/local.d/00-security-settings.
+autorun-never to true in /etc/dconf/db/gdm.d/00-security-settings.
 For example:
 [org/gnome/desktop/media-handling]
 autorun-never=true
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/media-handling/autorun-never
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_disable_autorun' differs.
--- ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_disable_autorun_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.media-handling autorun-never
 If properly configured, the output for autorun-nevershould be true.
 To ensure that users cannot enable autorun in GNOME3, run the following:
-$ grep 'autorun-never' /etc/dconf/db/local.d/locks/*
+$ grep 'autorun-never' /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output for autorun-never should be /org/gnome/desktop/media-handling/autorun-never
       Is it the case that GNOME autorun is not disabled?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt
@@ -6,12 +6,12 @@
 By default, GNOME does not require credentials when using Vino for
 remote access. To configure the system to require remote credentials, add or set
 authentication-methods to ['vnc'] in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/Vino]
 authentication-methods=['vnc']
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/Vino/authentication-methods
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_credential_prompt' differs.
--- ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_credential_prompt_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.Vino authentication-methods
 If properly configured, the output should be false.
 To ensure that users cannot disable credentials for remote access, run the following:
-$ grep authentication-methods /etc/dconf/db/local.d/locks/*
+$ grep authentication-methods /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should be
 /org/gnome/Vino/authentication-methods
       Is it the case that wireless network notification is enabled and not disabled?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption
@@ -6,12 +6,12 @@
 By default, GNOME requires encryption when using Vino for remote access.
 To prevent remote access encryption from being disabled, add or set
 require-encryption to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/Vino]
 require-encryption=true
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/Vino/require-encryption
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_remote_access_encryption' differs.
--- ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_remote_access_encryption_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.Vino require-encrpytion
 If properly configured, the output should be true.
 To ensure that users cannot disable encrypted remote connections, run the following:
-$ grep require-encryption /etc/dconf/db/local.d/locks/*
+$ grep require-encryption /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should be
 /org/gnome/Vino/require-encryption
       Is it the case that remote access connections are not encrypted?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled
@@ -5,11 +5,11 @@
 [description]:
 To activate the screensaver in the GNOME3 desktop after a period of inactivity,
 add or set idle-activation-enabled to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 idle-activation-enabled=true
 Once the setting has been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/idle-activation-enabled
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_activation_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_activation_enabled_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.screensaver idle-activation-enabled
 If properly configured, the output should be true.
 To ensure that users cannot disable the screensaver idle inactivity setting, run the following:
-$ grep idle-activation-enabled /etc/dconf/db/local.d/locks/*
+$ grep idle-activation-enabled /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/screensaver/idle-activation-enabled
       Is it the case that idle-activation-enabled is not enabled or configured?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -4,12 +4,12 @@
 
 [description]:
 The idle time-out value for inactivity in the GNOME3 desktop is configured via the idle-delay
-setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/local.d directory
-and locked in /etc/dconf/db/local.d/locks directory to prevent user modification.
+setting must be set under an appropriate configuration file(s) in the /etc/dconf/db/gdm.d directory
+and locked in /etc/dconf/db/gdm.d/locks directory to prevent user modification.
 
          
 For example, to configure the system for a 15 minute delay, add the following to
-/etc/dconf/db/local.d/00-security-settings:
+/etc/dconf/db/gdm.d/00-security-settings:
 [org/gnome/desktop/session]
 idle-delay=uint32 900
 
@@ -137,7 +137,7 @@
 RHEL-08-020060
 
 [reference]:
-SV-230352r1155401_rule
+SV-230352r1017165_rule
 
 [rationale]:
 A session time-out lock is a temporary action taken when a user stops work and moves away from

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_idle_delay_ocil:questionnaire:1
@@ -2,7 +2,7 @@
 $ gsettings get org.gnome.desktop.session idle-delay
 If properly configured, the output should be 'uint32 '.
 To ensure that users cannot change the screensaver inactivity timeout setting, run the following:
-$ grep idle-delay /etc/dconf/db/local.d/locks/*
+$ grep idle-delay /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/session/idle-delay
       Is it the case that idle-delay is set to 0 or a value greater than <sub idref="inactivity_timeout_value" />?
       
bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_idle_delay
@@ -2,6 +2,7 @@
 if rpm --quiet -q gdm; then
 
 inactivity_timeout_value=''
+
 
 
 # Check for setting in any of the DConf db directories

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -6,7 +6,7 @@
 To activate the locking delay of the screensaver in the GNOME3 desktop when
 the screensaver is activated, add or set lock-delay to uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
           in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 lock-delay=uint32 'xccdf_org.ssgproject.content_value_var_screensaver_lock_delay'
          

bash remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_delay
@@ -1,10 +1,8 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q gdm; then
 
-# apply fix for enable_dconf_user_profile, OVAL checks it
+var_screensaver_lock_delay=''
 
-
-var_screensaver_lock_delay=''
 
 
 # Check for setting in any of the DConf db directories

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -5,12 +5,12 @@
 [description]:
 To activate locking of the screensaver in the GNOME3 desktop when it is activated,
 add or set lock-enabled to true in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 lock-enabled=true
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/lock-enabled
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_lock_enabled_ocil:questionnaire:1
@@ -3,7 +3,7 @@
 $ gsettings get org.gnome.desktop.screensaver lock-enabled
 If properly configured, the output should be true.
 To ensure that users cannot change how long until the screensaver locks, run the following:
-$ grep lock-enabled /etc/dconf/db/local.d/locks/*
+$ grep lock-enabled /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output for lock-enabled should be /org/gnome/desktop/screensaver/lock-enabled
       Is it the case that screensaver locking is not enabled and/or has not been set or configured correctly?
       
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled' differs.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_lock_enabled
@@ -76,7 +76,7 @@
 - name: Enable GNOME3 Screensaver Lock After Idle Period - Enable GNOME3 Screensaver
     Lock After Idle Period
   community.general.ini_file:
-    dest: /etc/dconf/db/local.d/00-security-settings
+    dest: /etc/dconf/db/gdm.d/00-security-settings
     section: org/gnome/desktop/lockdown
     option: disable-lock-screen
     value: 'false'
@@ -105,7 +105,7 @@
 - name: Enable GNOME3 Screensaver Lock After Idle Period - Prevent user modification
     of GNOME disable-lock-screen
   ansible.builtin.lineinfile:
-    path: /etc/dconf/db/local.d/locks/00-security-settings-lock
+    path: /etc/dconf/db/gdm.d/locks/00-security-settings-lock
     regexp: ^/org/gnome/desktop/lockdown/disable-lock-screen$
     line: /org/gnome/desktop/lockdown/disable-lock-screen
     create: true

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank
@@ -5,12 +5,12 @@
 [description]:
 To set the screensaver mode in the GNOME3 desktop to a blank screen,
 add or set picture-uri to string '' in
-/etc/dconf/db/local.d/00-security-settings. For example:
+/etc/dconf/db/gdm.d/00-security-settings. For example:
 [org/gnome/desktop/screensaver]
 picture-uri=string ''
 
 Once the settings have been added, add a lock to
-/etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+/etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/picture-uri
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_mode_blank' differs.
--- ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_mode_blank_ocil:questionnaire:1
@@ -3,7 +3,7 @@
 If properly configured, the output should be ''.
 
 To ensure that users cannot set the screensaver background, run the following:
-$ grep picture-uri /etc/dconf/db/local.d/locks/*
+$ grep picture-uri /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should be /org/gnome/desktop/screensaver/picture-uri
       Is it the case that it is not set or configured properly?
       
New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks
@@ -5,7 +5,7 @@
 [description]:
 If not already configured, ensure that users cannot change GNOME3 screensaver lock settings
 by adding /org/gnome/desktop/screensaver/lock-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/screensaver/lock-delay
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_screensaver_user_locks' differs.
--- ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_screensaver_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'lock-delay' /etc/dconf/db/local.d/locks/*
+$ grep 'lock-delay' /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should return:
 /org/gnome/desktop/screensaver/lock-delay
       Is it the case that GNOME3 session settings are not locked or configured properly?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks'.
--- xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
+++ xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks
@@ -5,7 +5,7 @@
 [description]:
 If not already configured, ensure that users cannot change GNOME3 session idle settings
 by adding /org/gnome/desktop/session/idle-delay
-to /etc/dconf/db/local.d/locks/00-security-settings-lock to prevent user modification.
+to /etc/dconf/db/gdm.d/locks/00-security-settings-lock to prevent user modification.
 For example:
 /org/gnome/desktop/session/idle-delay
 After the settings have been set, run dconf update.

OCIL for rule 'xccdf_org.ssgproject.content_rule_dconf_gnome_session_idle_user_locks' differs.
--- ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
+++ ocil:ssg-dconf_gnome_session_idle_user_locks_ocil:questionnaire:1
@@ -1,5 +1,5 @@
 To ensure that users cannot change session idle and lock settings, run the following:
-$ grep 'idle-delay' /etc/dconf/db/local.d/locks/*
+$ grep 'idle-delay' /etc/dconf/db/gdm.d/locks/*
 If properly configured, the output should return:
 /org/gnome/desktop/session/idle-delay
       Is it the case that idle-delay is not locked?

New content has different text for rule 'xccdf_org.ssgproject.content_rule_package_gssproxy_removed'.
--- xccdf_org.ssgproject.content_rule_package_gssproxy_removed
+++ xccdf_org.ssgproject.content_rule_package_gssproxy_removed
@@ -21,7 +21,7 @@
 RHEL-08-040370
 
 [reference]:
-SV-230559r1155398_rule
+SV-230559r1014820_rule
 
 [rationale]:
 gssproxy is a proxy for GSS API credential handling.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts'.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -137,6 +137,12 @@
 [reference]:
 10.2
 
+[reference]:
+RHEL-08-020340
+
+[reference]:
+SV-230381r1069295_rule
+
 [rationale]:
 Users need to be aware of activity that occurs regarding their account. Providing users with
 information regarding the number of unsuccessful attempts that were made to login to their

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_display_login_attempts' differs.
--- xccdf_org.ssgproject.content_rule_display_login_attempts
+++ xccdf_org.ssgproject.content_rule_display_login_attempts
@@ -4,6 +4,7 @@
   tags:
   - CCE-80788-3
   - CJIS-5.5.2
+  - DISA-STIG-RHEL-08-020340
   - NIST-800-53-AC-9
   - NIST-800-53-AC-9(1)
   - PCI-DSS-Req-10.2.4
@@ -27,6 +28,7 @@
   tags:
   - CCE-80788-3
   - CJIS-5.5.2
+  - DISA-STIG-RHEL-08-020340
   - NIST-800-53-AC-9
   - NIST-800-53-AC-9(1)
   - PCI-DSS-Req-10.2.4
@@ -54,6 +56,7 @@
   tags:
   - CCE-80788-3
   - CJIS-5.5.2
+  - DISA-STIG-RHEL-08-020340
   - NIST-800-53-AC-9
   - NIST-800-53-AC-9(1)
   - PCI-DSS-Req-10.2.4
@@ -130,6 +133,7 @@
   tags:
   - CCE-80788-3
   - CJIS-5.5.2
+  - DISA-STIG-RHEL-08-020340
   - NIST-800-53-AC-9
   - NIST-800-53-AC-9(1)
   - PCI-DSS-Req-10.2.4
@@ -424,6 +428,7 @@
   tags:
   - CCE-80788-3
   - CJIS-5.5.2
+  - DISA-STIG-RHEL-08-020340
   - NIST-800-53-AC-9
   - NIST-800-53-AC-9(1)
   - PCI-DSS-Req-10.2.4

New content has different text for rule 'xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction'.
--- xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
+++ xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
@@ -224,7 +224,7 @@
 RHEL-08-040172
 
 [reference]:
-SV-230531r1155396_rule
+SV-230531r1134890_rule
 
 [rationale]:
 A locally logged-in user who presses Ctrl-Alt-Del, when at the console,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth'.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -342,7 +342,7 @@
 RHEL-08-010152
 
 [reference]:
-SV-244523r1137691_rule
+SV-244523r1117265_rule
 
 [rationale]:
 This prevents attackers with physical access from trivially bypassing security

bash remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -10,7 +10,6 @@
 
 mkdir -p "${service_dropin_cfg_dir}"
 echo "[Service]" >> "${service_dropin_file}"
-echo "ExecStart=" >> "${service_dropin_file}"
 echo "ExecStart=-$sulogin" >> "${service_dropin_file}"
 
 else

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_require_emergency_target_auth' differs.
--- xccdf_org.ssgproject.content_rule_require_emergency_target_auth
+++ xccdf_org.ssgproject.content_rule_require_emergency_target_auth
@@ -22,7 +22,6 @@
     dest: /etc/systemd/system/emergency.service.d/10-oscap.conf
     block: |-
       [Service]
-      ExecStart=
       ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
   when: '"kernel-core" in ansible_facts.packages'
   tags:

New content has different text for rule 'xccdf_org.ssgproject.content_rule_require_singleuser_auth'.
--- xccdf_org.ssgproject.content_rule_require_singleuser_auth
+++ xccdf_org.ssgproject.content_rule_require_singleuser_auth
@@ -375,7 +375,7 @@
 RHEL-08-010151
 
 [reference]:
-SV-230236r1137691_rule
+SV-230236r1117265_rule
 
 [rationale]:
 This prevents attackers with physical access from trivially bypassing security

bash remediation for rule 'xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow' differs.
--- xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
+++ xccdf_org.ssgproject.content_rule_no_empty_passwords_etc_shadow
@@ -1,7 +1,7 @@
 # Remediation is applicable only in certain platforms
 if rpm --quiet -q kernel-core; then
 
-readarray -t users_with_empty_pass < <(awk -F: '!$2 {print $1}' /etc/shadow)
+readarray -t users_with_empty_pass < <(sudo awk -F: '!$2 {print $1}' /etc/shadow)
 
 for user_with_empty_pass in "${users_with_empty_pass[@]}"
 do

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout'.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -159,12 +159,6 @@
 [reference]:
 5.4.3.2
 
-[reference]:
-RHEL-08-020353
-
-[reference]:
-SV-230385r1017194_rule
-
 [rationale]:
 Terminating an idle session within a short time period reduces
 the window of opportunity for unauthorized personnel to take control of a

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_tmout' differs.
--- xccdf_org.ssgproject.content_rule_accounts_tmout
+++ xccdf_org.ssgproject.content_rule_accounts_tmout
@@ -3,7 +3,6 @@
     manager: auto
   tags:
   - CCE-80673-7
-  - DISA-STIG-RHEL-08-020353
   - NIST-800-171-3.1.11
   - NIST-800-53-AC-12
   - NIST-800-53-AC-2(5)
@@ -32,7 +31,6 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-80673-7
-  - DISA-STIG-RHEL-08-020353
   - NIST-800-171-3.1.11
   - NIST-800-53-AC-12
   - NIST-800-53-AC-2(5)
@@ -57,7 +55,6 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-80673-7
-  - DISA-STIG-RHEL-08-020353
   - NIST-800-171-3.1.11
   - NIST-800-53-AC-12
   - NIST-800-53-AC-2(5)

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs'.
--- xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
+++ xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
@@ -10,6 +10,12 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+RHEL-08-010660
+
+[reference]:
+SV-230309r1017119_rule
+
 [rationale]:
 If user start-up files execute world-writable programs, especially in
 unprotected directories, they could be maliciously modified to destroy user

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
+++ xccdf_org.ssgproject.content_rule_accounts_user_dot_no_world_writable_programs
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -18,6 +19,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -33,6 +35,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -50,6 +53,7 @@
     value_name=''data'')}}'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -67,6 +71,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -87,6 +92,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption
@@ -105,6 +111,7 @@
   with_items: '{{ referenced_files.results }}'
   tags:
   - CCE-84039-7
+  - DISA-STIG-RHEL-08-010660
   - accounts_user_dot_no_world_writable_programs
   - low_complexity
   - low_disruption

xccdf_org.ssgproject.content_rule_accounts_user_interactive_home_directory_on_separate_partition is missing in new data stream.
New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -86,6 +86,12 @@
 [reference]:
 5.4.3.3
 
+[reference]:
+RHEL-08-020353
+
+[reference]:
+SV-230385r1017194_rule
+
 [rationale]:
 The umask value influences the permissions assigned to files when they are created.
 A misconfigured umask value could result in files with excessive permissions that can be read or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_bashrc
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-81036-6
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_bashrc
@@ -30,6 +31,7 @@
   - '"bash" in ansible_facts.packages'
   tags:
   - CCE-81036-6
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_bashrc
@@ -50,6 +52,7 @@
   - umask_replace.found > 0
   tags:
   - CCE-81036-6
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_bashrc
@@ -70,6 +73,7 @@
   - umask_replace.found == 0
   tags:
   - CCE-81036-6
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_bashrc

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
@@ -79,6 +79,12 @@
 [reference]:
 SRG-OS-000480-GPOS-00227
 
+[reference]:
+RHEL-08-020353
+
+[reference]:
+SV-230385r1017194_rule
+
 [rationale]:
 The umask value influences the permissions assigned to files when they are created.
 A misconfigured umask value could result in files with excessive permissions that can be read or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_csh_cshrc
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-81037-4
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_csh_cshrc
@@ -28,6 +29,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-81037-4
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_csh_cshrc
@@ -47,6 +49,7 @@
   - umask_replace.found > 0
   tags:
   - CCE-81037-4
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_csh_cshrc
@@ -66,6 +69,7 @@
   - umask_replace.found == 0
   tags:
   - CCE-81037-4
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_csh_cshrc

New content has different text for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile'.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
@@ -90,6 +90,12 @@
 [reference]:
 5.4.3.3
 
+[reference]:
+RHEL-08-020353
+
+[reference]:
+SV-230385r1017194_rule
+
 [rationale]:
 The umask value influences the permissions assigned to files when they are created.
 A misconfigured umask value could result in files with excessive permissions that can be read or

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile' differs.
--- xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
+++ xccdf_org.ssgproject.content_rule_accounts_umask_etc_profile
@@ -3,6 +3,7 @@
     manager: auto
   tags:
   - CCE-81035-8
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_profile
@@ -30,6 +31,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-81035-8
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_profile
@@ -52,6 +54,7 @@
   - result_profile_d_files.matched
   tags:
   - CCE-81035-8
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_profile
@@ -73,6 +76,7 @@
   - not result_profile_d_files.matched
   tags:
   - CCE-81035-8
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_profile
@@ -92,6 +96,7 @@
   when: '"kernel-core" in ansible_facts.packages'
   tags:
   - CCE-81035-8
+  - DISA-STIG-RHEL-08-020353
   - NIST-800-53-AC-6(1)
   - NIST-800-53-CM-6(a)
   - accounts_umask_etc_profile

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_admin_username'.
--- xccdf_org.ssgproject.content_rule_grub2_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_admin_username
@@ -317,7 +317,7 @@
 RHEL-08-010149
 
 [reference]:
-SV-244522r1137691_rule
+SV-244522r1117265_rule
 
 [rationale]:
 Having a non-default grub superuser username makes password-guessing attacks less effective.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_password'.
--- xccdf_org.ssgproject.content_rule_grub2_password
+++ xccdf_org.ssgproject.content_rule_grub2_password
@@ -313,7 +313,7 @@
 RHEL-08-010150
 
 [reference]:
-SV-230235r1137691_rule
+SV-230235r1117265_rule
 
 [rationale]:
 Password protection on the boot loader configuration ensures

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username'.
--- xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_admin_username
@@ -281,7 +281,7 @@
 RHEL-08-010141
 
 [reference]:
-SV-244521r1137691_rule
+SV-244521r1117265_rule
 
 [rationale]:
 Having a non-default grub superuser username makes password-guessing attacks less effective.

New content has different text for rule 'xccdf_org.ssgproject.content_rule_grub2_uefi_password'.
--- xccdf_org.ssgproject.content_rule_grub2_uefi_password
+++ xccdf_org.ssgproject.content_rule_grub2_uefi_password
@@ -277,7 +277,7 @@
 RHEL-08-010140
 
 [reference]:
-SV-230234r1137691_rule
+SV-230234r1117265_rule
 
 [rationale]:
 Password protection on the boot loader configuration ensures

New content has different text for rule 'xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter'.
--- xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
+++ xccdf_org.ssgproject.content_rule_sysctl_net_ipv4_conf_all_rp_filter
@@ -268,7 +268,7 @@
 RHEL-08-040285
 
 [reference]:
-SV-230549r1155416_rule
+SV-230549r1017311_rule
 
 [rationale]:
 Enabling reverse path filtering drops packets with source addresses

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned'.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_root_owned
@@ -20,7 +20,7 @@
 RHEL-08-010700
 
 [reference]:
-SV-230318r1155352_rule
+SV-230318r1017129_rule
 
 [rationale]:
 Allowing a user account to own a world-writable directory is undesirable because it allows the

New content has different text for rule 'xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits'.
--- xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
+++ xccdf_org.ssgproject.content_rule_dir_perms_world_writable_sticky_bits
@@ -202,7 +202,7 @@
 RHEL-08-010190
 
 [reference]:
-SV-230243r1137695_rule
+SV-230243r1117267_rule
 
 [rationale]:
 Failing to set the sticky bit on public directories allows unauthorized users to delete files

New content has different text for rule 'xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files'.
--- xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
+++ xccdf_org.ssgproject.content_rule_root_permissions_syslibrary_files
@@ -29,7 +29,7 @@
 RHEL-08-010350
 
 [reference]:
-SV-230262r1155384_rule
+SV-230262r1101894_rule
 
 [rationale]:
 If the operating system were to allow any user to make changes to software libraries,

New content has different text for rule 'xccdf_org.ssgproject.content_rule_service_autofs_disabled'.
--- xccdf_org.ssgproject.content_rule_service_autofs_disabled
+++ xccdf_org.ssgproject.content_rule_service_autofs_disabled
@@ -245,7 +245,7 @@
 RHEL-08-040070
 
 [reference]:
-SV-230502r1155393_rule
+SV-230502r1017284_rule
 
 [rationale]:
 Disabling the automounter permits the administrator to

New content has different text for rule 'xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid'.
--- xccdf_org.ssgproject.content_rule_mount_option_boot_efi_nosuid
+++ xccdf_org.ssgproject.content_rul

... The diff is trimmed here ...

@ggbecker ggbecker modified the milestones: 0.1.80, 0.1.81 Feb 16, 2026
Mab879
Mab879 requested changes Feb 17, 2026
View reviewed changes
Copy link
Member

@Mab879 Mab879 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One minor fix I forgot to post.

@teacup-on-rockingchair @Mab879
Update linux_os/guide/system/software/gnome/gnome_screen_locking/dcon…
241a701 
…f_gnome_screensaver_lock_enabled/tests/comment.fail.sh

Co-authored-by: Matthew Burket <m@tthewburket.com>
@Mab879
Copy link
Member

Mab879 commented Feb 17, 2026

We in the grace period for testing farm, merging.

@Mab879 Mab879 merged commit 88d27c6 into ComplianceAsCode:master Feb 17, 2026
50 of 143 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mpurg mpurg mpurg approved these changes

@Mab879 Mab879 Mab879 approved these changes

@svet-se svet-se svet-se approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@svet-se svet-se

Labels

Ansible Ansible remediation update. Bash Bash remediation update. OVAL OVAL update. Related to the systems assessments. SLES SUSE Linux Enterprise Server product related. Update Template Issues or pull requests related to Templates updates.

Projects

None yet

Milestone

0.1.81

Development

Successfully merging this pull request may close these issues.

5 participants

@teacup-on-rockingchair @Mab879 @ggbecker @mpurg @svet-se