Blob Blame History Raw
From e3844b648a537ae2d28aeb66b30522363e26c8c0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Thu, 19 Aug 2021 15:58:08 +0200
Subject: [PATCH 1/4] Base the RHEL9 CIS preview on RHEL8

Harness the policy files to get a RHEL9 projection of the RHEL8 CIS.
---
 products/rhel9/profiles/cis.profile           | 1079 +----------------
 products/rhel9/profiles/cis_server_l1.profile |   19 +
 .../rhel9/profiles/cis_workstation_l1.profile |   19 +
 .../rhel9/profiles/cis_workstation_l2.profile |   19 +
 4 files changed, 63 insertions(+), 1073 deletions(-)
 create mode 100644 products/rhel9/profiles/cis_server_l1.profile
 create mode 100644 products/rhel9/profiles/cis_workstation_l1.profile
 create mode 100644 products/rhel9/profiles/cis_workstation_l2.profile

diff --git a/products/rhel9/profiles/cis.profile b/products/rhel9/profiles/cis.profile
index 8d7816e5e2..4240f743df 100644
--- a/products/rhel9/profiles/cis.profile
+++ b/products/rhel9/profiles/cis.profile
@@ -1,1086 +1,19 @@
 documentation_complete: true
 
 metadata:
-    version: 0.0.0
+    version: 1.0.1
     SMEs:
         - vojtapolasek
         - yuumasato
 
 reference: https://www.cisecurity.org/benchmark/red_hat_linux/
 
-title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark'
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Server'
 
 description: |-
-    This is a draft CIS profile based on the RHEL8 CIS
+    This is a draft profile based on its RHEL8 version for experimental purposes.
+    It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+    the release.
 
 selections:
-    # Necessary for dconf rules
-    - dconf_db_up_to_date
-
-    ### Partitioning
-    - mount_option_home_nodev
-
-    ## 1.1 Filesystem Configuration
-
-    ### 1.1.1 Disable unused filesystems
-
-    #### 1.1.1.1 Ensure mounting cramfs filesystems is disabled (Scored)
-    - kernel_module_cramfs_disabled
-
-    #### 1.1.1.2 Ensure mounting of vFAT filesystems is limited (Not Scored)
-
-
-    #### 1.1.1.3 Ensure mounting of squashfs filesystems is disabled (Scored)
-    - kernel_module_squashfs_disabled
-
-    #### 1.1.1.4 Ensure mounting of udf filesystems is disabled (Scored)
-    - kernel_module_udf_disabled
-
-    ### 1.1.2 Ensure /tmp is configured (Scored)
-    - partition_for_tmp
-
-    ### 1.1.3 Ensure nodev option set on /tmp partition (Scored)
-    - mount_option_tmp_nodev
-
-    ### 1.1.4 Ensure nosuid option set on /tmp partition (Scored)
-    - mount_option_tmp_nosuid
-
-    ### 1.1.5 Ensure noexec option set on /tmp partition (Scored)
-    - mount_option_tmp_noexec
-
-    ### 1.1.6 Ensure separate partition exists for /var (Scored)
-    - partition_for_var
-
-    ### 1.1.7 Ensure separate partition exists for /var/tmp (Scored)
-    - partition_for_var_tmp
-
-    ### 1.1.8 Ensure nodev option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_nodev
-
-    ### 1.1.9 Ensure nosuid option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_nosuid
-
-    ### 1.1.10 Ensure noexec option set on /var/tmp partition (Scored)
-    - mount_option_var_tmp_noexec
-
-    ### 1.1.11 Ensure separate partition exists for /var/log (Scored)
-    - partition_for_var_log
-
-    ### 1.1.12 Ensure separate partition exists for /var/log/audit (Scored)
-    - partition_for_var_log_audit
-
-    ### 1.1.13 Ensure separate partition exists for /home (Scored)
-    - partition_for_home
-
-    ### 1.1.14 Ensure nodev option set on /home partition (Scored)
-    - mount_option_home_nodev
-
-    ### 1.1.15 Ensure nodev option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_nodev
-
-    ### 1.1.16 Ensure nosuid option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_nosuid
-
-    ### 1.1.17 Ensure noexec option set on /dev/shm partition (Scored)
-    - mount_option_dev_shm_noexec
-
-    ### 1.1.18 Ensure nodev option set on removable media partitions (Not Scored)
-    - mount_option_nodev_removable_partitions
-
-    ### 1.1.19 Ensure nosuid option set on removable media partitions (Not Scored)
-    - mount_option_nosuid_removable_partitions
-
-    ### 1.1.20 Ensure noexec option set on removable media partitions (Not Scored)
-    - mount_option_noexec_removable_partitions
-
-    ### 1.1.21 Ensure sticky bit is set on all world-writable directories (Scored)
-    - dir_perms_world_writable_sticky_bits
-
-    ### 1.1.22 Disable Automounting (Scored)
-    - service_autofs_disabled
-
-    ### 1.1.23 Disable USB Storage (Scored)
-    - kernel_module_usb-storage_disabled
-
-    ## 1.2 Configure Software Updates
-
-    ### 1.2.1 Ensure Red Hat Subscription Manager connection is configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5218
-
-    ### 1.2.2 Disable the rhnsd Daemon (Not Scored)
-    - service_rhnsd_disabled
-
-    ### 1.2.3 Ensure GPG keys are configured (Not Scored)
-    - ensure_redhat_gpgkey_installed
-
-    ### 1.2.4 Ensure gpgcheck is globally activated (Scored)
-    - ensure_gpgcheck_globally_activated
-
-    ### 1.2.5 Ensure package manager repositories are configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5219
-
-    ## 1.3 Configure sudo
-
-    ### 1.3.1 Ensure sudo is installed (Scored)
-    - package_sudo_installed
-
-    ### 1.3.2 Ensure sudo commands use pty (Scored)
-    - sudo_add_use_pty
-
-    ### 1.3.3 Ensure sudo log file exists (Scored)
-    - sudo_custom_logfile
-
-    ## 1.4 Filesystem Integrity Checking
-
-    ### 1.4.1 Ensure AIDE is installed (Scored)
-    - package_aide_installed
-
-    ### 1.4.2 Ensure filesystem integrity is regularly checked (Scored)
-    - aide_periodic_cron_checking
-
-    ## Secure Boot Settings
-
-    ### 1.5.1 Ensure permissions on bootloader config are configured (Scored)
-    #### chown root:root /boot/grub2/grub.cfg
-    - file_owner_grub2_cfg
-    - file_groupowner_grub2_cfg
-
-    #### chmod og-rwx /boot/grub2/grub.cfg
-    - file_permissions_grub2_cfg
-
-    #### chown root:root /boot/grub2/grubenv
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
-    #### chmod og-rwx /boot/grub2/grubenv
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5222
-
-    ### 1.5.2 Ensure bootloader password is set (Scored)
-    - grub2_password
-
-    ### 1.5.3 Ensure authentication required for single user mode (Scored)
-    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue
-    - require_singleuser_auth
-
-    #### ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency
-    - require_emergency_target_auth
-
-    ## 1.6 Additional Process Hardening
-
-    ### 1.6.1 Ensure core dumps are restricted (Scored)
-    #### * hard core 0
-    - disable_users_coredumps
-
-    #### fs.suid_dumpable = 0
-    - sysctl_fs_suid_dumpable
-
-    #### ProcessSizeMax=0
-    - coredump_disable_backtraces
-
-    #### Storage=none
-    - coredump_disable_storage
-
-    ### 1.6.2 Ensure address space layout randomization (ASLR) is enabled
-    - sysctl_kernel_randomize_va_space
-
-    ## 1.7 Mandatory Access Control
-
-    ### 1.7.1 Configure SELinux
-
-    #### 1.7.1.1 Ensure SELinux is installed (Scored)
-    - package_libselinux_installed
-
-    #### 1.7.1.2 Ensure SELinux is not disabled in bootloader configuration (Scored)
-    - grub2_enable_selinux
-
-    #### 1.7.1.3 Ensure SELinux policy is configured (Scored)
-    - var_selinux_policy_name=targeted
-    - selinux_policytype
- 
-    #### 1.7.1.4 Ensure the SELinux state is enforcing (Scored)
-    - var_selinux_state=enforcing
-    - selinux_state
-
-    #### 1.7.1.5 Ensure no unconfied services exist (Scored)
-    - selinux_confinement_of_daemons
-
-    #### 1.7.1.6 Ensure SETroubleshoot is not installed (Scored)
-    - package_setroubleshoot_removed
-
-    #### 1.7.1.7 Ensure the MCS Translation Service (mcstrans) is not installed (Scored)
-    - package_mcstrans_removed
-
-    ## Warning Banners
-
-    ### 1.8.1 Command Line Warning Baners
-
-    #### 1.8.1.1 Ensure message of the day is configured properly (Scored)
-    - banner_etc_motd
-
-    #### 1.8.1.2 Ensure local login warning banner is configured properly (Scored)
-    - banner_etc_issue
-
-    #### 1.8.1.3 Ensure remote login warning banner is configured properly (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5225
-
-    #### 1.8.1.4 Ensure permissions on /etc/motd are configured (Scored)
-    # chmod u-x,go-wx /etc/motd
-    - file_permissions_etc_motd
-
-    #### 1.8.1.5 Ensure permissions on /etc/issue are configured (Scored)
-    # chmod u-x,go-wx /etc/issue
-    - file_permissions_etc_issue
-
-    #### 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Scored)
-    # Previously addressed via 'rpm_verify_permissions' rule
-
-    ### 1.8.2 Ensure GDM login banner is configured (Scored)
-    #### banner-message-enable=true
-    - dconf_gnome_banner_enabled
-
-    #### banner-message-text='<banner message>'
-    - dconf_gnome_login_banner_text
-
-    ## 1.9 Ensure updates, patches, and additional security software are installed (Scored)
-    - security_patches_up_to_date
-
-    ## 1.10 Ensure system-wide crypto policy is not legacy (Scored)
-    - var_system_crypto_policy=future
-    - configure_crypto_policy
-
-    ## 1.11 Ensure system-wide crytpo policy is FUTURE or FIPS (Scored)
-    # Previously addressed via 'configure_crypto_policy' rule
-
-    # Services
-
-    ## 2.1 inetd Services
-
-    ### 2.1.1 Ensure xinetd is not installed (Scored)
-    - package_xinetd_removed
-
-    ## 2.2 Special Purpose Services
-
-    ### 2.2.1 Time Synchronization
-
-    #### 2.2.1.1 Ensure time synchronization is in use (Not Scored)
-    - package_chrony_installed
-
-    #### 2.2.1.2 Ensure chrony is configured (Scored)
-    - service_chronyd_enabled
-    - chronyd_specify_remote_server
-    - chronyd_run_as_chrony_user
-
-    ### 2.2.2 Ensure X Window System is not installed (Scored)
-    - package_xorg-x11-server-common_removed
-    - xwindows_runlevel_target
-
-    ### 2.2.3 Ensure rsync service is not enabled (Scored)
-    - service_rsyncd_disabled
-
-    ### 2.2.4 Ensure Avahi Server is not enabled (Scored)
-    - service_avahi-daemon_disabled
-
-    ### 2.2.5 Ensure SNMP Server is not enabled (Scored)
-    - service_snmpd_disabled
-
-    ### 2.2.6 Ensure HTTP Proxy Server is not enabled (Scored)
-    - package_squid_removed
-
-    ### 2.2.7 Ensure Samba is not enabled (Scored)
-    - service_smb_disabled
-
-    ### 2.2.8 Ensure IMAP and POP3 server is not enabled (Scored)
-    - service_dovecot_disabled
-
-    ### 2.2.9 Ensure HTTP server is not enabled (Scored)
-    - service_httpd_disabled
-
-    ### 2.2.10 Ensure FTP Server is not enabled (Scored)
-    - service_vsftpd_disabled
-
-    ### 2.2.11 Ensure DNS Server is not enabled (Scored)
-    - service_named_disabled
-
-    ### 2.2.12 Ensure NFS is not enabled (Scored)
-    - service_nfs_disabled
-
-    ### 2.2.13 Ensure RPC is not enabled (Scored)
-    - service_rpcbind_disabled
-
-    ### 2.2.14 Ensure LDAP service is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5231
-
-    ### 2.2.15 Ensure DHCP Server is not enabled (Scored)
-    - service_dhcpd_disabled
-
-    ### 2.2.16 Ensure CUPS is not enabled (Scored)
-    - service_cups_disabled
-
-    ### 2.2.17 Ensure NIS Server is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5232
-
-    ### 2.2.18 Ensure mail transfer agent is configured for
-    ###        local-only mode (Scored)
-    - postfix_network_listening_disabled
-
-    ## 2.3 Service Clients
-
-    ### 2.3.1 Ensure NIS Client is not installed (Scored)
-    - package_ypbind_removed
-
-    ### 2.3.2 Ensure telnet client is not installed (Scored)
-    - package_telnet_removed
-
-    ### Ensure LDAP client is not installed
-    - package_openldap-clients_removed
-
-    # 3 Network Configuration
-
-    ## 3.1 Network Parameters (Host Only)
-
-    ### 3.1.1 Ensure IP forwarding is disabled (Scored)
-    #### net.ipv4.ip_forward = 0
-    - sysctl_net_ipv4_ip_forward
-
-    #### net.ipv6.conf.all.forwarding = 0
-    - sysctl_net_ipv6_conf_all_forwarding
-
-    ### 3.1.2 Ensure packet redirect sending is disabled (Scored)
-    #### net.ipv4.conf.all.send_redirects = 0
-    - sysctl_net_ipv4_conf_all_send_redirects
-
-    #### net.ipv4.conf.default.send_redirects = 0
-    - sysctl_net_ipv4_conf_default_send_redirects
-
-    ## 3.2 Network Parameters (Host and Router)
-
-    ### 3.2.1 Ensure source routed packets are not accepted (Scored)
-    #### net.ipv4.conf.all.accept_source_route = 0
-    - sysctl_net_ipv4_conf_all_accept_source_route
-
-    #### net.ipv4.conf.default.accept_source_route = 0
-    - sysctl_net_ipv4_conf_default_accept_source_route
-
-    #### net.ipv6.conf.all.accept_source_route = 0
-    - sysctl_net_ipv6_conf_all_accept_source_route
-
-    #### net.ipv6.conf.default.accept_source_route = 0
-    - sysctl_net_ipv6_conf_default_accept_source_route
-
-    ### 3.2.2 Ensure ICMP redirects are not accepted (Scored)
-    #### net.ipv4.conf.all.accept_redirects = 0
-    - sysctl_net_ipv4_conf_all_accept_redirects
-
-    #### net.ipv4.conf.default.accept_redirects
-    - sysctl_net_ipv4_conf_default_accept_redirects
-
-    #### net.ipv6.conf.all.accept_redirects = 0
-    - sysctl_net_ipv6_conf_all_accept_redirects
-
-    #### net.ipv6.conf.defaults.accept_redirects = 0
-    - sysctl_net_ipv6_conf_default_accept_redirects
-
-    ### 3.2.3 Ensure secure ICMP redirects are not accepted (Scored)
-    #### net.ipv4.conf.all.secure_redirects = 0
-    - sysctl_net_ipv4_conf_all_secure_redirects
-
-    #### net.ipv4.cof.default.secure_redirects = 0
-    - sysctl_net_ipv4_conf_default_secure_redirects
-
-    ### 3.2.4 Ensure suspicious packets are logged (Scored)
-    #### net.ipv4.conf.all.log_martians = 1
-    - sysctl_net_ipv4_conf_all_log_martians
-
-    #### net.ipv4.conf.default.log_martians = 1
-    - sysctl_net_ipv4_conf_default_log_martians
-
-    ### 3.2.5 Ensure broadcast ICMP requests are ignored (Scored)
-    - sysctl_net_ipv4_icmp_echo_ignore_broadcasts
-
-    ### 3.2.6 Ensure bogus ICMP responses are ignored (Scored)
-    - sysctl_net_ipv4_icmp_ignore_bogus_error_responses
-
-    ### 3.2.7 Ensure Reverse Path Filtering is enabled (Scored)
-    #### net.ipv4.conf.all.rp_filter = 1
-    - sysctl_net_ipv4_conf_all_rp_filter
-    
-    #### net.ipv4.conf.default.rp_filter = 1
-    - sysctl_net_ipv4_conf_default_rp_filter
-
-    ### 3.2.8 Ensure TCP SYN Cookies is enabled (Scored)
-    - sysctl_net_ipv4_tcp_syncookies
-
-    ### 3.2.9 Ensure IPv6 router advertisements are not accepted (Scored)
-    #### net.ipv6.conf.all.accept_ra = 0
-    - sysctl_net_ipv6_conf_all_accept_ra
-
-    #### net.ipv6.conf.default.accept_ra = 0
-    - sysctl_net_ipv6_conf_default_accept_ra
-
-    ## 3.3 Uncommon Network Protocols
-
-    ### 3.3.1 Ensure DCCP is disabled (Scored)
-    - kernel_module_dccp_disabled
-
-    ### Ensure SCTP is disabled (Scored)
-    - kernel_module_sctp_disabled
-
-    ### 3.3.3 Ensure RDS is disabled (Scored)
-    - kernel_module_rds_disabled
-
-    ### 3.3.4 Ensure TIPC is disabled (Scored)
-    - kernel_module_tipc_disabled
-
-    ## 3.4 Firewall Configuration
-
-    ### 3.4.1 Ensure Firewall software is installed
-
-    #### 3.4.1.1 Ensure a Firewall package is installed (Scored)
-    ##### firewalld
-    - package_firewalld_installed
-
-    ##### nftables
-    #NEED RULE - https://github.com/ComplianceAsCode/content/issues/5237
-
-    ##### iptables
-    #- package_iptables_installed
-
-    ### 3.4.2 Configure firewalld
-
-    #### 3.4.2.1 Ensure firewalld service is enabled and running (Scored)
-    - service_firewalld_enabled
-
-    #### 3.4.2.2 Ensure iptables is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5238
-
-    #### 3.4.2.3 Ensure nftables is not enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5239
-
-    #### 3.4.2.4 Ensure default zone is set (Scored)
-    - set_firewalld_default_zone
-
-    #### 3.4.2.5 Ensure network interfaces are assigned to
-    ####         appropriate zone (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5240
-
-    #### 3.4.2.6 Ensure unnecessary services and ports are not
-    ####         accepted (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5241
-
-    ### 3.4.3 Configure nftables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5242
-
-    #### 3.4.3.1 Ensure iptables are flushed (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5243
-
-    #### 3.4.3.2 Ensure a table exists (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5244
-
-    #### 3.4.3.3 Ensure base chains exist (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5245
-
-    #### 3.4.3.4 Ensure loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5246
-
-    #### 3.4.3.5 Ensure outbound and established connections are
-    ####         configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5247
-
-    #### 3.4.3.6 Ensure default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5248
-
-    #### 3.4.3.7 Ensure nftables service is enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5249
-
-    #### 3.4.3.8 Ensure nftables rules are permanent (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5250
-
-    ### 3.4.4 Configure iptables
-
-    #### 3.4.4.1 Configure IPv4 iptables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5251
-
-    ##### 3.4.4.1.1 Ensure default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5252
-
-    ##### 3.4.4.1.2 Ensure loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5253
-
-    ##### 3.4.4.1.3 Ensure outbound and established connections are
-    #####           configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5254
-
-    ##### 3.4.4.1.4 Ensure firewall rules exist for all open ports (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5255
-
-    #### 3.4.4.2 Configure IPv6 ip6tables
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5256
-
-    ##### 3.4.4.2.1 Ensure IPv6 default deny firewall policy (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5257
-
-    ##### 3.4.4.2.2 Ensure IPv6 loopback traffic is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5258
-
-    ##### 3.4.4.2.3 Ensure IPv6 outbound and established connections are
-    #####           configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5260
-
-    ## 3.5 Ensure wireless interfaces are disabled (Scored)
-    - wireless_disable_interfaces
-
-    ## 3.6 Disable IPv6 (Not Scored)
-    - kernel_module_ipv6_option_disabled
-
-    # Logging and Auditing
-
-    ## 4.1 Configure System Accounting (auditd)
-
-    ### 4.1.1 Ensure auditing is enabled
-
-    #### 4.1.1.1 Ensure auditd is installed (Scored)
-    - package_audit_installed
-
-    #### 4.1.1.2 Ensure auditd service is enabled (Scored)
-    - service_auditd_enabled
-
-    #### 4.1.1.3 Ensure auditing for processes that start prior to audit
-    ####         is enabled (Scored)
-    - grub2_audit_argument
-
-    #### 4.1.1.4 Ensure audit_backlog_limit is sufficient (Scored)
-    - grub2_audit_backlog_limit_argument
-
-    ### 4.1.2 Configure Data Retention
-
-    #### 4.1.2.1 Ensure audit log storage size is configured (Scored)
-    - auditd_data_retention_max_log_file
-
-    #### 4.1.2.2 Ensure audit logs are not automatically deleted (Scored)
-    - auditd_data_retention_max_log_file_action
-
-    #### 4.1.2.3 Ensure system is disabled when audit logs are full (Scored)
-    - var_auditd_space_left_action=email
-    - auditd_data_retention_space_left_action
-
-    ##### action_mail_acct = root
-    - var_auditd_action_mail_acct=root
-    - auditd_data_retention_action_mail_acct
-
-    ##### admin_space_left_action = halt
-    - var_auditd_admin_space_left_action=halt
-    - auditd_data_retention_admin_space_left_action 
-
-    ### 4.1.3 Ensure changes to system administration scope
-    ###       (sudoers) is collected (Scored)
-    - audit_rules_sysadmin_actions
-
-    ### 4.1.4 Ensure login and logout events are collected (Scored)
-    - audit_rules_login_events_faillock
-    - audit_rules_login_events_lastlog
-
-    ### 4.1.5 Ensure session initiation information is collected (Scored)
-    - audit_rules_session_events
-
-    ### 4.1.6 Ensure events that modify date and time information
-    ###       are collected (Scored)
-    #### adjtimex
-    - audit_rules_time_adjtimex
-
-    #### settimeofday
-    - audit_rules_time_settimeofday
-
-    #### stime
-    - audit_rules_time_stime
-
-    #### clock_settime
-    - audit_rules_time_clock_settime
-
-    #### -w /etc/localtime -p wa
-    - audit_rules_time_watch_localtime
-
-    ### 4.1.7 Ensure events that modify the system's Mandatory
-    ###       Access Control are collected (Scored)
-    #### -w /etc/selinux/ -p wa
-    - audit_rules_mac_modification
-
-    #### -w /usr/share/selinux/ -p wa
-    # NEED RULE - https://github.com/ComplianceAsCode/content/issues/5264
-
-    ### 4.1.8 Ensure events that modify the system's network
-    ###       enironment are collected (Scored)
-    - audit_rules_networkconfig_modification
-
-    ### 4.1.9 Ensure discretionary access control permission modification
-    ###       events are collected (Scored)
-    - audit_rules_dac_modification_chmod
-    - audit_rules_dac_modification_fchmod
-    - audit_rules_dac_modification_fchmodat
-    - audit_rules_dac_modification_chown
-    - audit_rules_dac_modification_fchown
-    - audit_rules_dac_modification_fchownat
-    - audit_rules_dac_modification_lchown
-    - audit_rules_dac_modification_setxattr
-    - audit_rules_dac_modification_lsetxattr
-    - audit_rules_dac_modification_fsetxattr
-    - audit_rules_dac_modification_removexattr
-    - audit_rules_dac_modification_lremovexattr
-    - audit_rules_dac_modification_fremovexattr
-    
-    ### 4.1.10 Ensure unsuccessful unauthorized file access attempts are
-    ###        collected (Scored)
-    - audit_rules_unsuccessful_file_modification_creat
-    - audit_rules_unsuccessful_file_modification_open
-    - audit_rules_unsuccessful_file_modification_openat
-    - audit_rules_unsuccessful_file_modification_truncate
-    - audit_rules_unsuccessful_file_modification_ftruncate
-    # Opinionated selection
-    - audit_rules_unsuccessful_file_modification_open_by_handle_at
-
-    ### 4.1.11 Ensure events that modify user/group information are
-    ###        collected (Scored)
-    - audit_rules_usergroup_modification_passwd
-    - audit_rules_usergroup_modification_group
-    - audit_rules_usergroup_modification_gshadow
-    - audit_rules_usergroup_modification_shadow
-    - audit_rules_usergroup_modification_opasswd
-
-    ### 4.1.12 Ensure successful file system mounts are collected (Scored)
-    - audit_rules_media_export
-
-    ### 4.1.13 Ensure use of privileged commands is collected (Scored)
-    - audit_rules_privileged_commands
-
-    ### 4.1.14 Ensure file deletion events by users are collected
-    ###        (Scored)
-    - audit_rules_file_deletion_events_unlink
-    - audit_rules_file_deletion_events_unlinkat
-    - audit_rules_file_deletion_events_rename
-    - audit_rules_file_deletion_events_renameat
-    # Opinionated selection
-    - audit_rules_file_deletion_events_rmdir
-
-    ### 4.1.15 Ensure kernel module loading and unloading is collected
-    ###        (Scored)
-    - audit_rules_kernel_module_loading
-
-    ### 4.1.16 Ensure system administrator actions (sudolog) are
-    ###        collected (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5516
-
-    ### 4.1.17 Ensure the audit configuration is immutable (Scored)
-    - audit_rules_immutable
-
-    ## 4.2 Configure Logging
-
-    ### 4.2.1 Configure rsyslog
-
-    #### 4.2.1.1 Ensure rsyslog is installed (Scored)
-    - package_rsyslog_installed
-
-    #### 4.2.1.2 Ensure rsyslog Service is enabled (Scored)
-    - service_rsyslog_enabled
-
-    #### 4.2.1.3 Ensure rsyslog default file permissions configured (Scored)
-    - rsyslog_files_permissions
-
-    #### 4.2.1.4 Ensure logging is configured (Not Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5519
-
-    #### 4.2.1.5 Ensure rsyslog is configured to send logs to a remote
-    ####         log host (Scored)   
-    - rsyslog_remote_loghost
-
-    #### 4.2.1.6 Ensure remote rsyslog messages are only accepted on
-    ####         designated log hosts (Not Scored)
-    - rsyslog_nolisten
-
-    ### 4.2.2 Configure journald
-
-    #### 4.2.2.1 Ensure journald is configured to send logs to
-    ####         rsyslog (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5520
-
-    #### 4.2.2.2 Ensure journald is configured to compress large
-    ####         log files (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5521
-
-
-    #### 4.2.2.3 Ensure journald is configured to write logfiles to
-    ####         persistent disk (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5522
-
-    ### 4.2.3 Ensure permissions on all logfiles are configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5523
-
-    ## 4.3 Ensure logrotate is configured (Not Scored)
-
-    # 5 Access, Authentication and Authorization
-
-    ## 5.1 Configure cron
-
-    ### 5.1.1 Ensure cron daemon is enabled (Scored)
-    - service_crond_enabled
-
-
-    ### 5.1.2 Ensure permissions on /etc/crontab are configured (Scored)
-    # chown root:root /etc/crontab
-    - file_owner_crontab
-    - file_groupowner_crontab
-    # chmod og-rwx /etc/crontab
-    - file_permissions_crontab
-
-    ### 5.1.3 Ensure permissions on /etc/cron.hourly are configured (Scored)
-    # chown root:root /etc/cron.hourly
-    - file_owner_cron_hourly
-    - file_groupowner_cron_hourly
-    # chmod og-rwx /etc/cron.hourly
-    - file_permissions_cron_hourly
-
-    ### 5.1.4 Ensure permissions on /etc/cron.daily are configured (Scored)
-    # chown root:root /etc/cron.daily
-    - file_owner_cron_daily
-    - file_groupowner_cron_daily
-    # chmod og-rwx /etc/cron.daily
-    - file_permissions_cron_daily
-
-    ### 5.1.5 Ensure permissions on /etc/cron.weekly are configured (Scored)
-    # chown root:root /etc/cron.weekly
-    - file_owner_cron_weekly
-    - file_groupowner_cron_weekly
-    # chmod og-rwx /etc/cron.weekly
-    - file_permissions_cron_weekly
-
-    ### 5.1.6 Ensure permissions on /etc/cron.monthly are configured (Scored)
-    # chown root:root /etc/cron.monthly
-    - file_owner_cron_monthly
-    - file_groupowner_cron_monthly
-    # chmod og-rwx /etc/cron.monthly
-    - file_permissions_cron_monthly
-
-    ### 5.1.7 Ensure permissions on /etc/cron.d are configured (Scored)
-    # chown root:root /etc/cron.d
-    - file_owner_cron_d
-    - file_groupowner_cron_d
-    # chmod og-rwx /etc/cron.d
-    - file_permissions_cron_d
-
-    ### 5.1.8 Ensure at/cron is restricted to authorized users (Scored)
-
-
-    ## 5.2 SSH Server Configuration
-
-    ### 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
-    # chown root:root /etc/ssh/sshd_config
-    - file_owner_sshd_config
-    - file_groupowner_sshd_config
-
-    # chmod og-rwx /etc/ssh/sshd_config
-    - file_permissions_sshd_config
-
-    ### 5.2.2 Ensure SSH access is limited (Scored) 
-
-
-    ### 5.2.3 Ensure permissions on SSH private host key files are
-    ###       configured (Scored)
-    # TO DO: The rule sets to 640, but benchmark wants 600
-    - file_permissions_sshd_private_key
-    # TO DO: check owner of private keys in /etc/ssh is root:root
-
-    ### 5.2.4 Ensure permissions on SSH public host key files are configured
-    ###      (Scored)
-    - file_permissions_sshd_pub_key
-    # TO DO: check owner of pub keys in /etc/ssh is root:root
-
-    # Ensure that the configuration is done the right way
-    - sshd_use_directory_configuration
-    ### 5.2.5 Ensure SSH LogLevel is appropriate (Scored)
-    - sshd_set_loglevel_info
-
-    ### 5.2.6 Ensure SSH X11 forward is disabled (Scored)
-    - sshd_disable_x11_forwarding
-
-    ### 5.2.7 Ensure SSH MaxAuthTries is set to 4 or less (Scored)
-    - sshd_max_auth_tries_value=4
-    - sshd_set_max_auth_tries
-
-    ### 5.2.8 Ensure SSH IgnoreRhosts is enabled (Scored)
-    - sshd_disable_rhosts
-
-    ### 5.2.9 Ensure SSH HostbasedAuthentication is disabled (Scored)
-    - disable_host_auth
-
-    ### 5.2.10 Ensure SSH root login is disabled (Scored)
-    - sshd_disable_root_login
-
-    ### 5.2.11 Ensure SSH PermitEmptyPasswords is disabled (Scored)
-    - sshd_disable_empty_passwords
-
-    ### 5.2.12 Ensure SSH PermitUserEnvironment is disabled (Scored)
-    - sshd_do_not_permit_user_env
-
-    ### 5.2.13 Ensure SSH Idle Timeout Interval is configured (Scored)
-    # ClientAliveInterval 300
-    - sshd_idle_timeout_value=5_minutes
-    - sshd_set_idle_timeout
-
-    # ClientAliveCountMax 0
-    - var_sshd_set_keepalive=0
-
-    ### 5.2.14 Ensure SSH LoginGraceTime is set to one minute
-    ###        or less (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5525
-
-    ### 5.2.15 Ensure SSH warning banner is configured (Scored)
-    - sshd_enable_warning_banner
-
-    ### 5.2.16 Ensure SSH PAM is enabled (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5526
-
-    ### 5.2.17 Ensure SSH AllowTcpForwarding is disabled (Scored)
-    - sshd_disable_tcp_forwarding
-
-    ### 5.2.18 Ensure SSH MaxStarups is configured (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5528
-
-    ### 5.2.19 Ensure SSH MaxSessions is set to 4 or less (Scored)
-    - sshd_set_max_sessions
-    - var_sshd_max_sessions=4
-
-    ### 5.2.20 Ensure system-wide crypto policy is not over-ridden (Scored)
-    - configure_ssh_crypto_policy
-
-    ## 5.3 Configure authselect
-
-
-    ### 5.3.1 Create custom authselectet profile (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5530
-
-    ### 5.3.2 Select authselect profile (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5531
-
-    ### 5.3.3 Ensure authselect includes with-faillock (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5532
-
-    ## 5.4 Configure PAM
-
-    ### 5.4.1 Ensure password creation requirements are configured (Scored)
-    # NEEDS RULE: try_first_pass - https://github.com/ComplianceAsCode/content/issues/5533
-    - accounts_password_pam_retry
-    - var_password_pam_minlen=14
-    - accounts_password_pam_minlen
-    - var_password_pam_minclass=4
-    - accounts_password_pam_minclass
-
-    ### 5.4.2 Ensure lockout for failed password attempts is
-    ###       configured (Scored)
-    - var_accounts_passwords_pam_faillock_unlock_time=900
-    - var_accounts_passwords_pam_faillock_deny=5
-    - accounts_passwords_pam_faillock_unlock_time
-    - accounts_passwords_pam_faillock_deny
-
-    ### 5.4.3 Ensure password reuse is limited (Scored)
-    - var_password_pam_unix_remember=5
-    - accounts_password_pam_unix_remember
-
-    ### 5.4.4 Ensure password hashing algorithm is SHA-512 (Scored)
-    - set_password_hashing_algorithm_systemauth
-
-    ## 5.5 User Accounts and Environment
-
-    ### 5.5.1 Set Shadow Password Suite Parameters
-
-    #### 5.5.1 Ensure password expiration is 365 days or less (Scored)
-    - var_accounts_maximum_age_login_defs=365
-    - accounts_maximum_age_login_defs
-
-    #### 5.5.1.2 Ensure minimum days between password changes is 7
-    ####         or more (Scored)
-    - var_accounts_minimum_age_login_defs=7
-    - accounts_minimum_age_login_defs
-
-    #### 5.5.1.3 Ensure password expiration warning days is
-    ####         7 or more (Scored)
-    - var_accounts_password_warn_age_login_defs=7
-    - accounts_password_warn_age_login_defs
-
-    #### 5.5.1.4 Ensure inactive password lock is 30 days or less (Scored)
-    # TODO: Rule doesn't check list of users
-    # https://github.com/ComplianceAsCode/content/issues/5536
-    - var_account_disable_post_pw_expiration=30
-    - account_disable_post_pw_expiration
-
-    #### 5.5.1.5 Ensure all users last password change date is
-    ####         in the past (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5537
-
-    ### 5.5.2 Ensure system accounts are secured (Scored)
-    - no_shelllogin_for_systemaccounts
-
-    ### 5.5.3 Ensure default user shell timeout is 900 seconds
-    ###       or less (Scored)
-    - var_accounts_tmout=15_min
-    - accounts_tmout
-
-    ### 5.5.4 Ensure default group for the root account is
-    ###       GID 0 (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5539
-
-    ### 5.5.5 Ensure default user mask is 027 or more restrictive (Scored)
-    - var_accounts_user_umask=027
-    - accounts_umask_etc_bashrc
-    - accounts_umask_etc_profile
-
-    ## 5.6 Ensure root login is restricted to system console (Not Scored)
-    - securetty_root_login_console_only
-    - no_direct_root_logins
-
-    ## 5.7 Ensure access to the su command is restricted (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5541
-
-    # System Maintenance
-
-    ## 6.1 System File Permissions
-
-    ### 6.1.1 Audit system file permissions (Not Scored)
-    - rpm_verify_permissions
-    - rpm_verify_ownership
-    
-    ### 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
-    # chown root:root /etc/passwd
-    - file_owner_etc_passwd
-    - file_groupowner_etc_passwd
-
-    # chmod 644 /etc/passwd
-    - file_permissions_etc_passwd
-
-    ### 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
-    # chown root:root /etc/shadow
-    - file_owner_etc_shadow
-    - file_groupowner_etc_shadow
-
-    # chmod o-rwx,g-wx /etc/shadow
-    - file_permissions_etc_shadow
-
-    ### 6.1.4 Ensure permissions on /etc/group are configured (Scored)
-    # chown root:root /etc/group
-    - file_owner_etc_group
-    - file_groupowner_etc_group
-
-    # chmod 644 /etc/group
-    - file_permissions_etc_group
-
-    ### 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
-    # chown root:root /etc/gshadow
-    - file_owner_etc_gshadow
-    - file_groupowner_etc_gshadow
-
-    # chmod o-rwx,g-rw /etc/gshadow
-    - file_permissions_etc_gshadow
-
-    ### 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
-    # chown root:root /etc/passwd-
-    - file_owner_backup_etc_passwd
-    - file_groupowner_backup_etc_passwd
-
-    # chmod 644 /etc/passwd-
-    - file_permissions_backup_etc_passwd
-
-    ### 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
-    # chown root:root /etc/shadow-
-    - file_owner_backup_etc_shadow
-    - file_groupowner_backup_etc_shadow
-
-    # chmod 0000 /etc/shadow-
-    - file_permissions_backup_etc_shadow
-
-    ### 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
-    # chown root:root /etc/group-
-    - file_owner_backup_etc_group
-    - file_groupowner_backup_etc_group
-
-    # chmod 644 /etc/group-
-    - file_permissions_backup_etc_group
-    
-    ### 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
-    # chown root:root /etc/gshadow-
-    - file_owner_backup_etc_gshadow
-    - file_groupowner_backup_etc_gshadow
-
-    # chmod 0000 /etc/gshadow-
-    - file_permissions_backup_etc_gshadow
-
-    ### 6.1.10 Ensure no world writable files exist (Scored)
-    - file_permissions_unauthorized_world_writable
-
-    ### 6.1.11 Ensure no unowned files or directories exist (Scored)
-    - no_files_unowned_by_user
-
-    ### 6.1.12 Ensure no ungrouped files or directories exist (Scored)
-    - file_permissions_ungroupowned
-
-    ### 6.1.13 Audit SUID executables (Not Scored)
-    - file_permissions_unauthorized_suid
-
-    ### 6.1.14 Audit SGID executables (Not Scored)
-    - file_permissions_unauthorized_sgid
-
-    ## 6.2 User and Group Settings
-
-    ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
-    - no_legacy_plus_entries_etc_passwd
-
-    ### 6.2.4 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
-    - no_legacy_plus_entries_etc_shadow
-
-    ### 6.2.5 Ensure no legacy "+" entries exist in /etc/group (Scored)
-    - no_legacy_plus_entries_etc_group
-
-    ### 6.2.6 Ensure root is the only UID 0 account (Scored)
-    - accounts_no_uid_except_zero
-
-    ### 6.2.7 Ensure users' home directories permissions are 750
-    ###       or more restrictive (Scored)
-    - file_permissions_home_dirs
-
-    ### 6.2.8 Ensure users own their home directories (Scored)
-    # NEEDS RULE for user owner @ https://github.com/ComplianceAsCode/content/issues/5507
-    - file_groupownership_home_directories
-
-    ### 6.2.9 Ensure users' dot files are not group or world
-    ###       writable (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5506
-
-    ### 6.2.10 Ensure no users have .forward files (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5505
-
-    ### 6.2.11 Ensure no users have .netrc files (Scored)
-    - no_netrc_files
-
-    ### 6.2.12 Ensure users' .netrc Files are not group or
-    ###        world accessible (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5504
-
-    ### 6.2.13 Ensure no users have .rhosts files (Scored)
-    - no_rsh_trust_files
-
-    ### 6.2.14 Ensure all groups in /etc/passwd exist in
-    ###        /etc/group (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5503
-
-    ### 6.2.15 Ensure no duplicate UIDs exist (Scored)
-    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5502
-
-    ### 6.2.16 Ensure no duplicate GIDs exist (Scored)
-    # NEEDS RULE -  https://github.com/ComplianceAsCode/content/issues/5501
-
-    ### 6.2.17 Ensure no duplicate user names exist (Scored)
-    - account_unique_name
-
-    ### 6.2.18 Ensure no duplicate group names exist (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5500
-
-    ### 6.2.19 Ensure shadow group is empty (Scored)
-    # NEEDS RULE - https://github.com/ComplianceAsCode/content/issues/5499
-
-    ### 6.2.20 Ensure all users' home directories exist (Scored)
-    - accounts_user_interactive_home_directory_exists
+    - cis_rhel8:all:l2_server
diff --git a/products/rhel9/profiles/cis_server_l1.profile b/products/rhel9/profiles/cis_server_l1.profile
new file mode 100644
index 0000000000..18314d9c46
--- /dev/null
+++ b/products/rhel9/profiles/cis_server_l1.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Server'
+
+description: |-
+    This is a draft profile based on its RHEL8 version for experimental purposes.
+    It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+    the release.
+
+selections:
+    - cis_rhel8:all:l1_server
diff --git a/products/rhel9/profiles/cis_workstation_l1.profile b/products/rhel9/profiles/cis_workstation_l1.profile
new file mode 100644
index 0000000000..3ce1c80089
--- /dev/null
+++ b/products/rhel9/profiles/cis_workstation_l1.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 1 - Workstation'
+
+description: |-
+    This is a draft profile based on its RHEL8 version for experimental purposes.
+    It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+    the release.
+
+selections:
+    - cis_rhel8:all:l1_workstation
diff --git a/products/rhel9/profiles/cis_workstation_l2.profile b/products/rhel9/profiles/cis_workstation_l2.profile
new file mode 100644
index 0000000000..84d76b801f
--- /dev/null
+++ b/products/rhel9/profiles/cis_workstation_l2.profile
@@ -0,0 +1,19 @@
+documentation_complete: true
+
+metadata:
+    version: 1.0.1
+    SMEs:
+        - vojtapolasek
+        - yuumasato
+
+reference: https://www.cisecurity.org/benchmark/red_hat_linux/
+
+title: '[DRAFT] CIS Red Hat Enterprise Linux 9 Benchmark for Level 2 - Workstation'
+
+description: |-
+    This is a draft profile based on its RHEL8 version for experimental purposes.
+    It is not based on the CIS benchmark for RHEL9, because this one was not available at time of
+    the release.
+
+selections:
+    - cis_rhel8:all:l2_workstation

From 11c06fcbc1c75bcc17a765d611449af66efcf3e0 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 20 Aug 2021 17:35:21 +0200
Subject: [PATCH 2/4] Add RHEL9 CIS kickstarts

Those are based on their RHEL8 counterparts
---
 products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg |   6 +-
 .../kickstart/ssg-rhel9-cis_server_l1-ks.cfg  | 133 ++++++++++++++++
 .../ssg-rhel9-cis_workstation_l1-ks.cfg       | 133 ++++++++++++++++
 .../ssg-rhel9-cis_workstation_l2-ks.cfg       | 143 ++++++++++++++++++
 4 files changed, 412 insertions(+), 3 deletions(-)
 create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
 create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
 create mode 100644 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg

diff --git a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
index 47685726dd..88290ff977 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis-ks.cfg
@@ -1,6 +1,6 @@
-# SCAP Security Guide CIS profile kickstart for Red Hat Enterprise Linux 9 Server
+# SCAP Security Guide CIS profile (Level 2 - Server) kickstart for Red Hat Enterprise Linux 9 Server
 # Version: 0.0.1
-# Date: 2021-07-13
+# Date: 2021-08-12
 #
 # Based on:
 # https://pykickstart.readthedocs.io/en/latest/
@@ -124,7 +124,7 @@ logvol swap --name=lv_swap --vgname=VolGroup --size=2016
 
 # Harden installation with CIS profile
 # For more details and configuration options see
-# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-com_redhat_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
 %addon com_redhat_oscap
         content-type = scap-security-guide
         profile = xccdf_org.ssgproject.content_profile_cis
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
new file mode 100644
index 0000000000..d8d24e4394
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
@@ -0,0 +1,133 @@
+# SCAP Security Guide CIS profile (Level 1 - Server) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis_server_l1
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
new file mode 100644
index 0000000000..fb6d0ab9a4
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
@@ -0,0 +1,133 @@
+# SCAP Security Guide CIS profile (Level 1 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis_workstation_l1
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg
new file mode 100644
index 0000000000..037de3a1b9
--- /dev/null
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l2-ks.cfg
@@ -0,0 +1,143 @@
+# SCAP Security Guide CIS profile (Level 2 - Workstation) kickstart for Red Hat Enterprise Linux 9 Server
+# Version: 0.0.1
+# Date: 2021-08-12
+#
+# Based on:
+# https://pykickstart.readthedocs.io/en/latest/
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#performing_an_automated_installation_using_kickstart
+
+# Specify installation method to use for installation
+# To use a different one comment out the 'url' one below, update
+# the selected choice with proper options & un-comment it
+#
+# Install from an installation tree on a remote server via FTP or HTTP:
+# --url		the URL to install from
+#
+# Example:
+#
+# url --url=http://192.168.122.1/image
+#
+# Modify concrete URL in the above example appropriately to reflect the actual
+# environment machine is to be installed in
+#
+# Other possible / supported installation methods:
+# * install from the first CD-ROM/DVD drive on the system:
+#
+# cdrom
+#
+# * install from a directory of ISO images on a local drive:
+#
+# harddrive --partition=hdb2 --dir=/tmp/install-tree
+#
+# * install from provided NFS server:
+#
+# nfs --server=<hostname> --dir=<directory> [--opts=<nfs options>]
+#
+
+# Set language to use during installation and the default language to use on the installed system (required)
+lang en_US.UTF-8
+
+# Set system keyboard type / layout (required)
+keyboard us
+
+# Configure network information for target system and activate network devices in the installer environment (optional)
+# --onboot	enable device at a boot time
+# --device	device to be activated and / or configured with the network command
+# --bootproto	method to obtain networking configuration for device (default dhcp)
+# --noipv6	disable IPv6 on this device
+#
+# NOTE: Usage of DHCP will fail CCE-27021-5 (DISA FSO RHEL-06-000292). To use static IP configuration,
+#       "--bootproto=static" must be used. For example:
+# network --bootproto=static --ip=10.0.2.15 --netmask=255.255.255.0 --gateway=10.0.2.254 --nameserver 192.168.2.1,192.168.3.1
+#
+network --onboot yes --device eth0 --bootproto dhcp --noipv6
+
+# Set the system's root password (required)
+# Plaintext password is: server
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+rootpw --iscrypted $6$/0RYeeRdK70ynvYz$jH2ZN/80HM6DjndHMxfUF9KIibwipitvizzXDH1zW.fTjyD3RD3tkNdNUaND18B/XqfAUW3vy1uebkBybCuIm0
+
+# The selected profile will restrict root login
+# Add a user that can login and escalate privileges
+# Plaintext password is: admin123
+user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
+
+# Configure firewall settings for the system (optional)
+# --enabled	reject incoming connections that are not in response to outbound requests
+# --ssh		allow sshd service through the firewall
+firewall --enabled --ssh
+
+# Set up the authentication options for the system (required)
+# sssd profile sets sha512 to hash passwords
+# passwords are shadowed by default
+# See the manual page for authselect-profile for a complete list of possible options.
+authselect select sssd
+
+# State of SELinux on the installed system (optional)
+# Defaults to enforcing
+selinux --enforcing
+
+# Set the system time zone (required)
+timezone --utc America/New_York
+
+# Specify how the bootloader should be installed (required)
+# Plaintext password is: password
+# Refer to e.g. https://pykickstart.readthedocs.io/en/latest/commands.html#rootpw to see how to create
+# encrypted password form for different plaintext password
+bootloader --location=mbr --append="crashkernel=auto rhgb quiet" --password=$6$zCPaBARiNlBYUAS7$40phthWpqvaPVz3QUeIK6n5qoazJDJD5Nlc9OKy5SyYoX9Rt4jFaLjzqJCwpgR4RVAEFSADsqQot0WKs5qNto0
+
+# Initialize (format) all disks (optional)
+zerombr
+
+# The following partition layout scheme assumes disk of size 20GB or larger
+# Modify size of partitions appropriately to reflect actual machine's hardware
+#
+# Remove Linux partitions from the system prior to creating new ones (optional)
+# --linux	erase all Linux partitions
+# --initlabel	initialize the disk label to the default based on the underlying architecture
+clearpart --linux --initlabel
+
+# Create primary system partitions (required for installs)
+part /boot --fstype=xfs --size=512
+part pv.01 --grow --size=1
+
+# Create a Logical Volume Management (LVM) group (optional)
+volgroup VolGroup --pesize=4096 pv.01
+
+# Create particular logical volumes (optional)
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+# Ensure /home Located On Separate Partition
+logvol /home --fstype=xfs --name=LogVol02 --vgname=VolGroup --size=1024 --fsoptions="nodev"
+# Ensure /tmp Located On Separate Partition
+logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
+# Ensure /var/tmp Located On Separate Partition
+logvol /var/tmp --fstype=xfs --name=LogVol7 --vgname=VolGroup --size=1024 --fsoptions="nodev,nosuid,noexec"
+# Ensure /var Located On Separate Partition
+logvol /var --fstype=xfs --name=LogVol03 --vgname=VolGroup --size=3072
+# Ensure /var/log Located On Separate Partition
+logvol /var/log --fstype=xfs --name=LogVol04 --vgname=VolGroup --size=1024
+# Ensure /var/log/audit Located On Separate Partition
+logvol /var/log/audit --fstype=xfs --name=LogVol05 --vgname=VolGroup --size=512
+logvol swap --name=lv_swap --vgname=VolGroup --size=2016
+
+
+# Harden installation with CIS profile
+# For more details and configuration options see
+# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/performing_an_advanced_rhel_installation/index#addon-org_fedora_oscap_kickstart-commands-for-addons-supplied-with-the-rhel-installation-program
+%addon com_redhat_oscap
+        content-type = scap-security-guide
+        profile = xccdf_org.ssgproject.content_profile_cis_workstation_l2
+%end
+
+# Packages selection (%packages section is required)
+%packages
+
+# Require @Base
+@Base
+
+%end # End of %packages section
+
+# Reboot after the installation is complete (optional)
+# --eject	attempt to eject CD or DVD media before rebooting
+reboot --eject

From 6775cda905bce1f01cc8e89245f7f5d3f53a5b8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 23 Aug 2021 10:16:50 +0200
Subject: [PATCH 3/4] Add CCEs

to rules that freshly made it into the RHEL9 CIS draft.
---
 .../ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml       | 1 +
 .../services/ssh/ssh_server/sshd_set_maxstartups/rule.yml   | 1 +
 .../rule.yml                                                | 1 +
 .../rule.yml                                                | 1 +
 .../accounts-session/root_paths/root_path_no_dot/rule.yml   | 1 +
 .../uefi/file_permissions_efi_grub2_cfg/rule.yml            | 1 +
 shared/references/cce-redhat-avail.txt                      | 6 ------
 7 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
index ee54a53dfd..059d25cc7c 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_loglevel_verbose/rule.yml
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-82419-3
     cce@rhel8: CCE-82420-1
+    cce@rhel9: CCE-86923-0
     cce@sle12: CCE-83077-8
     cce@sle15: CCE-83270-9
 
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
index 7aec7ffb2c..5a1bf4906e 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_set_maxstartups/rule.yml
@@ -23,6 +23,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-90714-7
     cce@rhel8: CCE-90718-8
+    cce@rhel9: CCE-87872-8
 
 references:
     cis@rhel7: 5.3.21
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
index 62b6f55e00..cf6c38d6f7 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_password_auth/rule.yml
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-83476-2
     cce@rhel8: CCE-83478-8
+    cce@rhel9: CCE-86354-8
 
 references:
     cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
index 8cc56eb876..0eae61281f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_password_pam_pwhistory_remember_system_auth/rule.yml
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-83479-6
     cce@rhel8: CCE-83480-4
+    cce@rhel9: CCE-89176-2
 
 references:
     cis-csc: 1,12,15,16,5
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
index c94de8fa3e..151ad1ebe2 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/root_path_no_dot/rule.yml
@@ -22,6 +22,7 @@ severity: unknown
 identifiers:
     cce@rhel7: CCE-80199-3
     cce@rhel8: CCE-85914-0
+    cce@rhel9: CCE-88059-1
 
 references:
     cis-csc: 11,3,9
diff --git a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
index bc4fdcc7e0..d9c0be8ccf 100644
--- a/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
+++ b/linux_os/guide/system/bootloader-grub2/uefi/file_permissions_efi_grub2_cfg/rule.yml
@@ -22,6 +22,7 @@ severity: medium
 identifiers:
     cce@rhel7: CCE-83431-7
     cce@rhel8: CCE-85912-4
+    cce@rhel9: CCE-85925-6
 
 references:
     cis-csc: 12,13,14,15,16,18,3,5
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 6c33c2e85f..e80f25156e 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -50,7 +50,6 @@ CCE-85921-5
 CCE-85922-3
 CCE-85923-1
 CCE-85924-9
-CCE-85925-6
 CCE-85926-4
 CCE-85927-2
 CCE-85928-0
@@ -458,7 +457,6 @@ CCE-86350-6
 CCE-86351-4
 CCE-86352-2
 CCE-86353-0
-CCE-86354-8
 CCE-86355-5
 CCE-86356-3
 CCE-86357-1
@@ -1016,7 +1014,6 @@ CCE-86919-8
 CCE-86920-6
 CCE-86921-4
 CCE-86922-2
-CCE-86923-0
 CCE-86924-8
 CCE-86925-5
 CCE-86926-3
@@ -1947,7 +1944,6 @@ CCE-87868-6
 CCE-87869-4
 CCE-87870-2
 CCE-87871-0
-CCE-87872-8
 CCE-87873-6
 CCE-87874-4
 CCE-87875-1
@@ -2132,7 +2128,6 @@ CCE-88055-9
 CCE-88056-7
 CCE-88057-5
 CCE-88058-3
-CCE-88059-1
 CCE-88060-9
 CCE-88061-7
 CCE-88062-5
@@ -3226,7 +3221,6 @@ CCE-89171-3
 CCE-89172-1
 CCE-89173-9
 CCE-89174-7
-CCE-89176-2
 CCE-89177-0
 CCE-89178-8
 CCE-89179-6

From 6835e3d0d26ac210f2d376fdad647bb37cb22c8d Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 24 Aug 2021 10:43:22 +0200
Subject: [PATCH 4/4] Increase partition size for CIS kickstarts

---
 products/rhel8/kickstart/ssg-rhel8-cis_server_l1-ks.cfg      | 2 +-
 products/rhel8/kickstart/ssg-rhel8-cis_workstation_l1-ks.cfg | 2 +-
 products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg      | 2 +-
 products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
index d8d24e4394..1abcf90304 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_server_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016
diff --git a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
index fb6d0ab9a4..e18e86f474 100644
--- a/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
+++ b/products/rhel9/kickstart/ssg-rhel9-cis_workstation_l1-ks.cfg
@@ -106,7 +106,7 @@ part pv.01 --grow --size=1
 volgroup VolGroup --pesize=4096 pv.01
 
 # Create particular logical volumes (optional)
-logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=10240 --grow
+logvol / --fstype=xfs --name=LogVol06 --vgname=VolGroup --size=16896 --grow
 # Ensure /tmp Located On Separate Partition
 logvol /tmp --fstype=xfs --name=LogVol01 --vgname=VolGroup --size=1024 --fsoptions="nodev,noexec,nosuid"
 logvol swap --name=lv_swap --vgname=VolGroup --size=2016