ComplianceAsCode · Mab879 · Jan 6, 2025 · Jan 3, 2025 · Jan 3, 2025
diff --git a/controls/ospp.yml b/controls/ospp.yml
@@ -378,7 +378,6 @@ controls:
             - chronyd_client_only
             - package_chrony_installed
             - configure_usbguard_auditbackend
-            - package_fapolicyd_installed
             - package_usbguard_installed
             - service_usbguard_enabled
             - usbguard_allow_hid_and_hub

diff --git a/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml b/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_flush/rule.yml
@@ -36,6 +36,7 @@ references:
     nerc-cip: CIP-004-6 R2.2.3,CIP-004-6 R3.3,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
     nist: AU-11,CM-6(a)
     nist-csf: DE.CM-1,DE.CM-3,DE.CM-7,ID.SC-4,PR.PT-1
+    ospp: FAU_GEN.1
     srg: SRG-OS-000480-GPOS-00227
 
 ocil_clause: 'auditd is not configured to synchronously write audit event data to disk'

diff --git a/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml b/linux_os/guide/services/fapolicyd/package_fapolicyd_installed/rule.yml
@@ -21,6 +21,7 @@ identifiers:
 references:
     disa: CCI-001774,CCI-001764
     nist: CM-6(a),SI-4(22)
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000370-GPOS-00155,SRG-OS-000368-GPOS-00154,SRG-OS-000480-GPOS-00230
     stigid@ol8: OL08-00-040135
     stigid@rhel8: RHEL-08-040135

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_use_directory_configuration/rule.yml
@@ -20,6 +20,7 @@ identifiers:
 
 references:
     hipaa: 164.312(a)
+    ospp: FCS_SSH_EXT.1
 
 ocil_clause: "you don't include other configuration files from the main configuration file"
 

diff --git a/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml b/linux_os/guide/services/usbguard/package_usbguard_installed/rule.yml
@@ -47,6 +47,7 @@ references:
     disa: CCI-001958,CCI-003959
     ism: "1418"
     nist: CM-8(3),IA-3
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000378-GPOS-00163,SRG-APP-000141-CTR-000315
     stigid@ol8: OL08-00-040139
     stigid@rhel8: RHEL-08-040139

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_init_on_alloc_argument/rule.yml
@@ -18,12 +18,15 @@ severity: medium
 
 identifiers:
     cce@rhel9: CCE-85867-0
+    cce@rhel10: CCE-86953-7
 
 ocil_clause: 'the kernel is not configured to zero out memory before allocation'
 
 ocil: |-
     {{{ ocil_grub2_argument("init_on_alloc=1") | indent(4) }}}
 
+references:
+    ospp: AVA_VAN.1
 
 template:
     name: grub2_bootloader_argument

diff --git a/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-grub2/grub2_page_alloc_shuffle_argument/rule.yml
@@ -31,6 +31,8 @@ ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 ocil: |-
     {{{ ocil_grub2_argument("page_alloc.shuffle=1") | indent(4) }}}
 
+references:
+    ospp: AVA_VAN.1
 
 template:
     name: grub2_bootloader_argument

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bls_entries_only/rule.yml
@@ -16,6 +16,10 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-83485-3
     cce@rhel9: CCE-84092-6
+    cce@rhel10: CCE-87335-6
+
+references:
+    ospp: FPT_TST_EXT.1
 
 ocil_clause: 'a non BLS boot entry is configured'
 

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_bootmap_is_up_to_date/rule.yml
@@ -18,6 +18,10 @@ severity: medium
 identifiers:
     cce@rhel8: CCE-83486-1
     cce@rhel9: CCE-84098-3
+    cce@rhel10: CCE-87515-3
+
+references:
+    ospp: FPT_TST_EXT.1
 
 ocil_clause: 'the bootmap is outdated'
 

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_init_on_alloc_argument/rule.yml
@@ -22,6 +22,10 @@ severity: medium
 
 identifiers:
     cce@rhel9: CCE-85868-8
+    cce@rhel10: CCE-88443-7
+
+references:
+    ospp: AVA_VAN.1
 
 ocil_clause: 'the kernel is not configured to zero out memory before allocation'
 

diff --git a/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml b/linux_os/guide/system/bootloader-zipl/zipl_page_alloc_shuffle_argument/rule.yml
@@ -27,6 +27,10 @@ severity: medium
 
 identifiers:
     cce@rhel9: CCE-85880-3
+    cce@rhel10: CCE-89057-4
+
+references:
+    ospp: AVA_VAN.1
 
 ocil_clause: 'randomization of the page allocator is not enabled in the kernel'
 

diff --git a/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml b/linux_os/guide/system/network/network-uncommon/kernel_module_sctp_disabled/rule.yml
@@ -41,6 +41,7 @@ references:
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
     nist: CM-7(a),CM-7(b),CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
+    ospp: FMT_SMF_EXT.1
     pcidss: Req-1.4.2
     srg: SRG-OS-000095-GPOS-00049,SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-040023

diff --git a/...stem/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml b/...stem/network/network-wireless/wireless_software/kernel_module_bluetooth_disabled/rule.yml
@@ -34,6 +34,7 @@ references:
     iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
     nist: AC-18(a),AC-18(3),CM-7(a),CM-7(b),CM-6(a),MP-7
     nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000095-GPOS-00049,SRG-OS-000300-GPOS-00118
     stigid@ol8: OL08-00-040111
     stigid@rhel8: RHEL-08-040111

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nodev/rule.yml
@@ -30,6 +30,7 @@ references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000368-GPOS-00154
     stigid@ol8: OL08-00-040129
     stigid@rhel8: RHEL-08-040129

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_noexec/rule.yml
@@ -28,6 +28,7 @@ references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000368-GPOS-00154
     stigid@ol8: OL08-00-040131
     stigid@rhel8: RHEL-08-040131

diff --git a/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml b/linux_os/guide/system/permissions/partitions/mount_option_var_log_audit_nosuid/rule.yml
@@ -29,6 +29,7 @@ references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 R2.3,CIP-007-3 R2.1,CIP-007-3 R2.2,CIP-007-3 R2.3,CIP-007-3 R5.1,CIP-007-3 R5.1.1,CIP-007-3 R5.1.2
     nist: CM-7(a),CM-7(b),CM-6(a),AC-6,AC-6(1),MP-7
     nist-csf: PR.IP-1,PR.PT-2,PR.PT-3
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000368-GPOS-00154
     stigid@ol8: OL08-00-040130
     stigid@rhel8: RHEL-08-040130

diff --git a/.../permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml b/.../permissions/restrictions/enable_execshield_settings/sysctl_kernel_kptr_restrict/rule.yml
@@ -26,6 +26,7 @@ references:
     disa: CCI-000366,CCI-002824,CCI-001082
     nerc-cip: CIP-002-5 R1.1,CIP-002-5 R1.2,CIP-003-8 R5.1.1,CIP-003-8 R5.3,CIP-004-6 4.1,CIP-004-6 4.2,CIP-004-6 R2.2.3,CIP-004-6 R2.2.4,CIP-004-6 R2.3,CIP-004-6 R4,CIP-005-6 R1,CIP-005-6 R1.1,CIP-005-6 R1.2,CIP-007-3 R3,CIP-007-3 R3.1,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.1.3,CIP-007-3 R5.2.1,CIP-007-3 R5.2.3,CIP-007-3 R8.4,CIP-009-6 R.1.1,CIP-009-6 R4
     nist: SC-30,SC-30(2),SC-30(5),CM-6(a)
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000132-GPOS-00067,SRG-OS-000433-GPOS-00192,SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-040283
     stigid@rhel8: RHEL-08-040283

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_dmesg_restrict/rule.yml
@@ -25,6 +25,7 @@ references:
     disa: CCI-001082,CCI-001090
     hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
     nist: SI-11(a),SI-11(b)
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600
     stigid@ol7: OL07-00-010375
     stigid@ol8: OL08-00-010375

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_kexec_load_disabled/rule.yml
@@ -20,6 +20,7 @@ identifiers:
 references:
     disa: CCI-003992,CCI-000366
     nist: CM-6
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000480-GPOS-00227,SRG-OS-000366-GPOS-00153
     stigid@ol8: OL08-00-010372
     stigid@rhel8: RHEL-08-010372

diff --git a/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml b/linux_os/guide/system/permissions/restrictions/sysctl_kernel_yama_ptrace_scope/rule.yml
@@ -24,6 +24,7 @@ identifiers:
 references:
     disa: CCI-000366,CCI-001082
     nist: SC-7(10)
+    ospp: FMT_SMF_EXT.1
     srg: SRG-OS-000132-GPOS-00067,SRG-OS-000480-GPOS-00227
     stigid@ol8: OL08-00-040282
     stigid@rhel8: RHEL-08-040282

diff --git a/linux_os/guide/system/selinux/selinux_policytype/rule.yml b/linux_os/guide/system/selinux/selinux_policytype/rule.yml
@@ -47,6 +47,7 @@ references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
     nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
+    ospp: FMT_MOF_EXT.1
     srg: SRG-OS-000445-GPOS-00199,SRG-APP-000233-CTR-000585
     stigid@ol7: OL07-00-020220
     stigid@ol8: OL08-00-010450

diff --git a/linux_os/guide/system/selinux/selinux_state/rule.yml b/linux_os/guide/system/selinux/selinux_state/rule.yml
@@ -40,6 +40,7 @@ references:
     nerc-cip: CIP-003-8 R5.1.1,CIP-003-8 R5.2,CIP-003-8 R5.3,CIP-004-6 R2.2.3,CIP-004-6 R2.3,CIP-004-6 R3.3,CIP-007-3 R5.1,CIP-007-3 R5.1.2,CIP-007-3 R5.2,CIP-007-3 R5.3.1,CIP-007-3 R5.3.2,CIP-007-3 R5.3.3,CIP-007-3 R6.5
     nist: AC-3,AC-3(3)(a),AU-9,SC-7(21)
     nist-csf: DE.AE-1,ID.AM-3,PR.AC-4,PR.AC-5,PR.AC-6,PR.DS-5,PR.PT-1,PR.PT-3,PR.PT-4
+    ospp: FMT_MOF_EXT.1
     srg: SRG-OS-000445-GPOS-00199,SRG-OS-000134-GPOS-00068
     stigid@ol7: OL07-00-020210
     stigid@ol8: OL08-00-010170

diff --git a/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml b/linux_os/guide/system/software/integrity/crypto/configure_openssl_crypto_policy/rule.yml
@@ -42,6 +42,7 @@ references:
     disa: CCI-001453
     nerc-cip: CIP-003-8 R4.2,CIP-007-3 R5.1,CIP-007-3 R7.1
     nist: AC-17(a),AC-17(2),CM-6(a),MA-4(6),SC-13,SC-12(2),SC-12(3)
+    ospp: FCS_CKM.1,FCS_CKM.1.1,FCS_CKM.2,FCS_COP.1/ENCRYPT,FCS_COP.1/HASH,FCS_COP.1/SIGN,FCS_COP.1/KEYHMAC,FCS_TLSC_EXT.1,FCS_TLSC_EXT.1.1
     pcidss: Req-2.2
     srg: SRG-OS-000250-GPOS-00093
     stigid@ol8: OL08-00-010293

diff --git a/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml b/linux_os/guide/system/software/updating/package_dnf-automatic_installed/rule.yml
@@ -20,6 +20,7 @@ identifiers:
     cce@sle15: CCE-91163-6
 
 references:
+    ospp: FPT_TUD_EXT.1,FPT_TUD_EXT.2
     srg: SRG-OS-000191-GPOS-00080
 
 ocil_clause: 'the package is not installed'

@@ -1,4 +1,4 @@
-documentation_complete: false
+documentation_complete: true
 
 metadata:
     version: 4.3

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -224,7 +224,6 @@ CCE-86935-4
 CCE-86936-2
 CCE-86937-0
 CCE-86952-9
-CCE-86953-7
 CCE-86955-2
 CCE-86956-0
 CCE-86958-6
@@ -446,7 +445,6 @@ CCE-87325-7
 CCE-87326-5
 CCE-87327-3
 CCE-87334-9
-CCE-87335-6
 CCE-87342-2
 CCE-87343-0
 CCE-87346-3
@@ -553,7 +551,6 @@ CCE-87510-4
 CCE-87511-2
 CCE-87512-0
 CCE-87513-8
-CCE-87515-3
 CCE-87516-1
 CCE-87517-9
 CCE-87519-5
@@ -1129,7 +1126,6 @@ CCE-88431-2
 CCE-88432-0
 CCE-88434-6
 CCE-88442-9
-CCE-88443-7
 CCE-88445-2
 CCE-88446-0
 CCE-88447-8
@@ -1503,7 +1499,6 @@ CCE-89050-9
 CCE-89052-5
 CCE-89053-3
 CCE-89054-1
-CCE-89057-4
 CCE-89065-7
 CCE-89066-5
 CCE-89067-3