From f3e6ef75a941307be8a203ac06c40b8f6b79e8ef Mon Sep 17 00:00:00 2001
From: Matthew Burket <mburket@redhat.com>
Date: Thu, 30 Sep 2021 13:43:34 -0500
Subject: [PATCH] Add rule for RHEL8 CIS 5.2.16 and RHEL7 CIS 5.3.19

Fixes #5526
---
 controls/cis_rhel7.yml                                |  4 +++-
 controls/cis_rhel8.yml                                |  6 +++---
 .../services/ssh/ssh_server/sshd_enable_pam/rule.yml  | 11 +++++++++--
 shared/references/cce-redhat-avail.txt                |  3 ---
 4 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index bd68e32ed99..dcc639072d7 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -1841,7 +1841,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    status: automated
+    rules:
+      - sshd_enable_pam
 
   - id: 5.3.20
     title: Ensure SSH AllowTcpForwarding is disabled (Automated)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index cbe1fc4e6a4..a505c4e80d4 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -1751,14 +1751,14 @@ controls:
       - l1_workstation
     automated: no
 
-  # NEEDS RULE
-  # https://github.com/ComplianceAsCode/content/issues/5526
   - id: 5.2.16
     title: Ensure SSH PAM is enabled (Automated)
     levels:
       - l1_server
       - l1_workstation
-    automated: no
+    status: automated
+    rules:
+      - sshd_enable_pam
 
   - id: 5.2.17
     title: Ensure SSH AllowTcpForwarding is disabled (Automated)
diff --git a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
index fe02c963e58..75a5855c196 100644
--- a/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
+++ b/linux_os/guide/services/ssh/ssh_server/sshd_enable_pam/rule.yml
@@ -18,14 +18,21 @@ rationale: |-
     the account. Additionally, you can make sure users inherit certain environment variables
     on login or disallow access to the server.
 
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86720-0
+    cce@rhel8: CCE-86721-8
+    cce@rhel9: CCE-86722-6
+
 references:
+    cis@rhel7: 5.3.19
+    cis@rhel8: 5.2.16
     cis@ubuntu2004: 5.2.19
     disa: CCI-000877
     srg: SRG-OS-000125-GPOS-00065
     stigid@ubuntu2004: UBTU-20-010035
 
-severity: medium
-
 ocil_clause: 'it is commented out or is not enabled'
 
 ocil: |-
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 46f9559ea84..5e5b9d17897 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -805,9 +805,6 @@ CCE-86716-8
 CCE-86717-6
 CCE-86718-4
 CCE-86719-2
-CCE-86720-0
-CCE-86721-8
-CCE-86722-6
 CCE-86723-4
 CCE-86724-2
 CCE-86725-9