Merge branch 'ComplianceAsCode:master' into rhel-modular-cis

alexhaydock · web-flow · commit 8c8d6c7242ed · 2021-08-17T13:01:21.000+01:00
diff --git a/applications/openshift/integrity/file_integrity_exists/tests/ocp4/e2e-remediation.sh b/applications/openshift/integrity/file_integrity_exists/tests/ocp4/e2e-remediation.sh
@@ -12,7 +12,7 @@ while [ -z "$(oc get -n openshift-file-integrity --ignore-not-found deployment/f
 done
 
 echo "waiting for file-integrity-operator deployment to be ready"
-oc wait -n openshift-file-integrity --for=condition=Available  --timeout=120s \
+oc wait -n openshift-file-integrity --for=condition=Available  --timeout=300s \
     deployment/file-integrity-operator
 
 echo "installing file-integrity instance"
diff --git a/docs/manual/developer/06_contributing_with_content.md b/docs/manual/developer/06_contributing_with_content.md
@@ -1572,6 +1572,9 @@ the following to `rule.yml`:
     -   **oval_extend_definitions** - optional, list of additional OVAL
         definitions that have to pass along the generated check.
 
+        **sed_path_separator** - optional, default is `/`, sets the sed path separator. Set this
+        to a character like `#` if `/` is in use in your text.
+
 -   Languages: Ansible, Bash, OVAL
 
 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/ansible/shared.yml
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/bash/shared.sh
@@ -10,7 +10,7 @@ default_os_user="root"
 for username in $( sed 's/:.*//' /etc/passwd ) ; do
 	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
         then
-		userdel $username ; 
+		userdel $username ;
 	fi
 done
 
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/oval/shared.xml
@@ -32,6 +32,6 @@
     var_ref="var_accounts_authorized_local_users_regex"></ind:subexpression>
   </ind:textfilecontent54_state>
 
-  <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string" 
+  <external_variable id="var_accounts_authorized_local_users_regex" version="1" datatype="string"
   comment="accounts authorized local users on operating system"/>
 </def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-prodtype: ol7,sle12,sle15
+prodtype: ol7,sle12,sle15,fedora,rhel8
 
 title: 'Only Authorized Local User Accounts Exist on Operating System'
 
@@ -26,11 +26,10 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-85987-6
     cce@sle12: CCE-83195-8
     cce@sle15: CCE-85561-9
 
-severity: medium
-
 references:
     disa: CCI-000366
     nist@sle12: CM-6(b),CM-6.1(iv)
@@ -41,6 +40,13 @@ references:
 
 ocil_clause: 'there are unauthorized local user accounts on the system'
 
+{{% if 'rhel' in product %}}
+warnings:
+    - general: |-
+        Automatic remediation of this control is not available. Due the unique
+        requirements of each system.
+{{% endif %}}
+
 ocil: |-
     To verify that there are no unauthorized local user accounts, run the following command:
     <pre>$ less /etc/passwd </pre>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/bad_user.fail.sh
@@ -0,0 +1,2 @@
+#! /bin/bash
+adduser testuser
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/accounts_authorized_local_users/tests/default.pass.sh
@@ -0,0 +1,16 @@
+#! /bin/bash
+# platform = multi_platform_rhel
+
+var_accounts_authorized_local_users_regex="^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
+
+# never delete the root user
+default_os_user="root"
+
+# delete users that is in /etc/passwd but neither in default_os_user
+# nor in var_accounts_authorized_local_users_regex
+for username in $( sed 's/:.*//' /etc/passwd ) ; do
+	if [[ ! "$username" =~ ($default_os_user|$var_accounts_authorized_local_users_regex) ]];
+        then
+		echo $username ;
+	fi
+done
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var b/linux_os/guide/system/accounts/accounts-restrictions/var_accounts_authorized_local_users_regex.var
@@ -22,5 +22,6 @@ operator: pattern match
 interactive: true
 
 options:
+    rhel8: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|systemd-resolve|systemd-coredump|sssd|rngd)$"
     ol7forsap: "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd)$"
     saponol7 : "^(root|bin|daemon|adm|lp|sync|shutdown|halt|mail|operator|games|ftp|nobody|pegasus|systemd-bus-proxy|systemd-network|dbus|polkitd|abrt|unbound|tss|libstoragemgmt|rpc|colord|usbmuxd$|pcp|saslauth|geoclue|setroubleshoot|rtkit|chrony|qemu|radvd|rpcuser|nfsnobody|pulse|gdm|gnome-initial-setup|postfix|avahi|ntp|sshd|tcpdump|oprofile|uuidd|[a-z][a-z0-9][a-z0-9]adm|ora[a-z][a-z0-9][a-z0-9]|sapadm|oracle)$"
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/ansible/shared.yml
@@ -0,0 +1,9 @@
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+{{{ ansible_set_config_file_dir(msg, "/etc/rsyslog.conf", "/etc/rsyslog.d", "/etc/rsyslog.conf", 
+                                "$ActionSendStreamDriverAuthMode", separator=' ', separator_regex='\s', 
+                                value="x509/name", create='yes') }}}
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/bash/shared.sh
@@ -0,0 +1,11 @@
+# platform = Red Hat Virtualization 4,multi_platform_fedora,multi_platform_rhel
+# reboot = false
+# strategy = configure
+# complexity = low
+# disruption = low
+
+if ! grep -s "\$ActionSendStreamDriverAuthMode\s*x509/name" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
+	mkdir -p /etc/rsyslog.d
+    sed -i '/^.*\$ActionSendStreamDriverAuthMode.*/d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
+    echo "\$ActionSendStreamDriverAuthMode x509/name" > /etc/rsyslog.d/stream_driver_auth.conf
+fi
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/oval/shared.xml
@@ -0,0 +1,43 @@
+<def-group>
+    <definition class="compliance" id="{{{ rule_id }}}" version="1">
+        {{{ oval_metadata("Rsyslogd must authenticate remote system its sending logs to.") }}}
+        <criteria operator="AND">
+            <criteria operator="OR">
+                 <criterion comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
+                            test_ref="test_{{{rule_id}}}_action_send_stream_driver_auth_mode" />
+                <criterion comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in files in /etc/rsyslog.d"
+                            test_ref="test_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" />
+            </criteria>
+        </criteria>
+    </definition>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist"
+                                comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
+                                id="test_{{{rule_id}}}_action_send_stream_driver_auth_mode" version="1">
+
+        <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode"
+                                    comment="Check if  $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
+                                    version="1">
+        <ind:filepath>/etc/rsyslog.conf</ind:filepath>
+        <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+
+    <ind:textfilecontent54_test check="all" check_existence="all_exist"
+                                comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.conf"
+                                id="test_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" version="1">
+        <ind:object object_ref="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir" />
+    </ind:textfilecontent54_test>
+
+    <ind:textfilecontent54_object id="obj_{{{rule_id}}}_action_send_stream_driver_auth_mode_dir"
+                                    comment="Check if $ActionSendStreamDriverAuthMode x509/name is set in /etc/rsyslog.d"
+                                    version="1">
+        <ind:path>/etc/rsyslog.d</ind:path>
+        <ind:filename operation="pattern match">^.*conf$</ind:filename>
+        <ind:pattern operation="pattern match">^\$ActionSendStreamDriverAuthMode x509/name$</ind:pattern>
+        <ind:instance datatype="int">1</ind:instance>
+    </ind:textfilecontent54_object>
+</def-group>
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: Ensure Rsyslog Authenticates Off-Loaded Audit Records
+
+description: |-
+    Rsyslogd is a system utility providing support for message logging. Support
+    for both internet and UNIX domain sockets enables this utility to support both local
+    and remote logging.  Couple this utility with <tt>gnutls</tt> (which is a secure communications
+    library implementing the SSL, TLS and DTLS protocols), and you have a method to securely
+    encrypt and off-load auditing.
+
+    When using <tt>rsyslogd</tt> to off-load logs the remote system must be authenticated.
+
+rationale: |-
+    The audit records generated by Rsyslog contain valuable information regarding system
+    configuration, user authentication, and other such information. Audit records should be
+    protected from unauthorized access.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86339-9
+
+references:
+    disa: CCI-001851
+    nist: AU-4(1)
+    srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+    stigid@rhel8: RHEL-08-030720
+
+
+ocil_clause: '$ActionSendStreamDriverAuthMode in /etc/rsyslog.conf is not set to x509/name'
+
+ocil: |-
+    Verify the operating system authenticates the remote logging server for off-loading audit logs with the following command:
+
+    <pre>$ sudo grep -i '$ActionSendStreamDriverAuthMode' /etc/rsyslog.conf /etc/rsyslog.d/*.conf</pre>
+    The output should be
+    <pre>$/etc/rsyslog.conf:$ActionSendStreamDriverAuthMode x509/name</pre>
+
+
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/default_no_pass.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+bash -x setup.sh
+
+if [[ -f encrypt.conf ]]; then
+  sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf
+fi
+  sed -i "/^\$ActionSendStreamDriverMod.*/d" /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslog_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverAuthMode 0" >> /etc/rsyslog.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverAuthMode x509/name" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/rsyslogd_wrong_value.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+bash -x setup.sh
+
+echo "\$ActionSendStreamDriverAuthMode x509/certvalid" >> /etc/rsyslog.d/encrypt.conf
diff --git a/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh b/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_encrypt_offload_actionsendstreamdriverauthmode/tests/setup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Use this script to ensure the rsyslog directory structure and rsyslog conf file
+# exist in the test env.
+config_file=/etc/rsyslog.conf
+
+# Ensure directory structure exists (useful for container based testing)
+test -f $config_file || touch $config_file
+
+test -d /etc/rsyslog.d/ || mkdir /etc/rsyslog.d/
diff --git a/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg b/products/rhel8/kickstart/ssg-rhel8-ism_o-ks.cfg
@@ -0,0 +1,116 @@
+# SCAP Security Guide ISM Official profile kickstart for Red Hat Enterprise Linux 8 Server
+# Version: 0.0.1
+# Date: 2021-08-16
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet"
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+# 
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+autopart
+
+# Harden installation with Essential Eight profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon org_fedora_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_ism_o
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
@@ -54,6 +54,7 @@ selections:
     - sshd_approved_macs=stig
     - sshd_approved_ciphers=stig
     - sshd_idle_timeout_value=10_minutes
+    - var_accounts_authorized_local_users_regex=rhel8
     - var_accounts_passwords_pam_faillock_deny=3
     - var_accounts_passwords_pam_faillock_fail_interval=900
     - var_accounts_passwords_pam_faillock_unlock_time=never
@@ -590,7 +591,7 @@ selections:
     - accounts_logon_fail_delay
 
     # RHEL-08-020320
-    # - accounts_authorized_local_users
+    - accounts_authorized_local_users
 
     # RHEL-08-020330
     - sshd_disable_empty_passwords
@@ -914,6 +915,7 @@ selections:
     - rsyslog_encrypt_offload_actionsendstreamdrivermode
 
     # RHEL-08-030720
+    - rsyslog_encrypt_offload_actionsendstreamdriverauthmode
 
     # RHEL-08-030730
     # this rule expects configuration in MB instead percentage as how STIG demands
diff --git a/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-ism_o-ks.cfg
diff --git a/shared/macros-bash.jinja b/shared/macros-bash.jinja
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
diff --git a/shared/templates/lineinfile/bash.template b/shared/templates/lineinfile/bash.template
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
